1: What is the purpose of this document?

Ulster Independent Clinic is committed to protecting the privacy and security of your personal data.

This privacy notice describes how we collect and use your personal data during and after your treatment and provides information in respect of your privacy rights and how the law protects you.

It is important that you read this privacy notice together with any other privacy notice or consent request we may provide on specific occasions when we are collecting or processing your personal data so that you are fully aware of how and why we are using your data.

2. WHO WE ARE AND GENERAL INFORMATION

CONTROLLER

Ulster Independent Clinic is a “data controller” for any of your personal data we hold (collectively referred to as the “Clinic”, “we”, “us” or “our” in this privacy notice). This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

The Consultant/s providing your private medical treatment at the Clinic are joint “data controllers” in relation to your personal data which they hold for the provision of your private medical care.

This privacy notice is for all patients of the Clinic.

CONTACT DETAILS

If you have any questions about this privacy notice, including how we handle your personal data or requests to exercise your legal rights, please contact our Data Protection Officer (DPO), in one of the following ways:

Email: secretary@uic.org.uk.

Postal Address:
Data Protection Officer
Ulster Independent Clinic
245 Stranmillis Road

Belfast  BT9 5JH

Telephone: 028 9066 1212

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO so please contact us in the first instance outlining your concerns.

CHANGES TO THIS PRIVACY NOTICE AND YOUR DUTY TO INFORM US OF CHANGES

We keep our privacy notice under regular review. This version was last updated on 8th September 2023. We ensure that any updates to this privacy notice are made available on our website and in our patient booklets.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

THIRD PARTY LINKS

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy notices. When you leave our website, we encourage you to read the privacy notice of every website you visit.

2: DATA PROTECTION PRINCIPLES

We will comply with data protection law, which says that the personal data we hold about you must be:

1. Used lawfully, fairly and in a transparent way.

2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

3. Relevant to the purposes we have told you about and limited only to those purposes.

4. Accurate and kept up to date.

5. Kept only as long as necessary for the purposes we have told you about.

6. Kept securely.

3: THE KIND OF DATA WE HOLD ABOUT YOU

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the person’s identity has been removed (anonymous data).

There are certain types of more sensitive personal data which require a higher level of protection, such as information about a person’s health, religion or race, which are called “special category data”.

We will collect, store, and use the following categories of your personal data:

• Contact Data - personal contact details such as name, title, addresses, telephone numbers and personal email addresses.

• Identity Data - personal details such as date of birth, gender, marital status, photographic ID, next of kin, emergency contact information and dependants.

• Private Medical Insurance Data - medical insurance details, including membership numbers and compensation history.

• Financial Data - payment information, including invoices, payment methods, bank/card details and billing address.

• Image Data – visual images, personal appearances and behaviour of individuals (but not sound) shall collected by our CCTV when patients attend the publicly accessible parts of our property. For the avoidance of doubt, there are no CCTV cameras within the consulting rooms, wards or theatres on our property.

• Audio Data – recordings of phone calls, which are taken for training and complaint management purposes.

• Personal Views – your feedback and responses to our patient satisfaction survey, should you provide same, or details of any complaint you submit to us.

• Any further information that you choose to tell us.

We will also collect, store and use the following more sensitive types of personal data:

• Health Data – details of your health comprising records, records of health conditions, any disability, treatments and care received including vaccination status, prescriptions, notes and reports about your health from your GP, results of x-rays, MRI or CT results, relevant images, including high definition images and videos and associated reports, blood tests, pathology tests, tissue samples and other relevant medical examinations.

• Religious Data – data in respect of your religion is collected at admission so that we can make any arrangements as necessary being mindful of your religious beliefs, such as arranging any chaplaincy attendances.

• Sex Life Data – on occasion, we may collect data pertaining to your sex life or sexual orientation, such as we will make enquiries of female patients on the chance of pregnancy prior to undertaking an x-ray, tests or procedure.

4: HOW IS YOUR PERSONAL DATA COLLECTED?

The Clinic will collect the personal data identified above to provide your medical care and in order to improve the quality of the services provided by the Clinic. We use different methods to collect personal data from and about you, including through:

• Direct interactions – primarily we collect personal data about you, the patient, through the referral process and throughout the course of the provision of medical care to you, either directly from you or from your parent, carer or guardian. Such collection occurs when you: enquire after medical services the Clinic provide; you complete forms; you request information from us; throughout the provision of medical care and when you give us feedback by completing voluntary surveys.

• Third parties – in some circumstances, we shall receive personal data from the following sources: your GP, dentist, physiotherapist or optometrist; a health care trust; a consultant or other health care provider by a referral letter; your medical insurance provider; your employer; your other third party payee such as a sports club; the Home Office or other parties involved in facilitating the care of asylum seekers; or in some instances from your legal representative.

5: HOW WE WILL USE YOUR PERSONAL DATA

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform an agreement we have entered into with you.

• Where we need to comply with a legal obligation.

• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests

We may also use your personal data in the following situations, which are likely to be rare:

• Where we need to protect your interests (or someone else’s interests).

• Where it is needed in the public interest.

We have set out below a description of the ways we plan to use your personal data and sensitive data (Health Data), and which of the legal bases (legal grounds) we rely on to do so. Note that we may process your personal data on more than one legal basis, when several grounds exist.

CHANGE OF PURPOSE

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

DO WE NEED YOUR CONSENT?

We do not need your consent if we use your personal data and sensitive data in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of your medical care. In limited circumstances as identified above, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

6: DATA SHARING

We may have to share your data with third parties, including third party service providers. We require third parties to respect the security of your data and to treat it in accordance with the law. If we do, you can expect a similar degree of protection in respect of your personal data.

WHY MIGHT WE SHARE YOUR PERSONAL DATA WITH THIRD PARTIES?

We will only share your personal data with third parties where required by law, where it is necessary to administer your medical care pursuant to our contract with you.

WHO WE SHARE YOUR PERSONAL DATA WITH

We will share your personal data with the parties set out below for the purposes set out in the table above:

• medical consultants involved in the provision of your medical care at the Clinic acting as joint controllers;

• GP’s, other doctors and consultants or other health professionals or providers who are involved in the provision of your medical care, who do not operate at the Clinic acting as controllers;

• NHS England, HSC Northern Ireland, HSE Northern Ireland, HSE Republic of Ireland including for the provision of your medical care and for the maintenance of statutory registers acting as controllers;

• RQIA and the Department of Health, PHIN and other statutory bodies, regulators and health boards acting as controllers;

• your insurer, legal representative or other third party payee such as your sports club or society, acting as controllers;

• our auditors as we may engage from time to time acting as controllers, who may on occasion request certain data sets which comprises personal data;

together with the following third party service providers we engage:

• our legal representatives, in connection with the defence of any claim or other analogous legal advice;

• our hardcopy storage providers we may instruct;

• debt collection agencies we engage from time to time;

• third party providers who supply IT support and maintenance services in respect of our systems and equipment, which include, Acorn, Toadstool Technologies, Siemens, Philips, and GE, together with other such providers;

• providers of shredding services who we appoint from time to time.

• our third party supplier Cemplicity, who shall collect feedback, as we are required to seek this information by law, the responses of which we are legally obliged to submit to PHIN. Cemplicity use a sub-processor Twillo and Sendgrid Services, to issue a text message and emails with a link to the survey. Twilio and Sendgrid Services will not receive any of your sensitive personal data and the information shall be limited to your name, phone number and email address.

We will only share personal information as necessary to achieve the purpose of the processing.

SECURITY OF MY PERSONAL DATA SHARED WITH THIRD PARTY SERVICE PROVIDERS

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies and to treat your personal data in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and they are only permitted to process your personal data for specified purposes and in accordance with our instructions.

WHAT ABOUT OTHER DATA CONTROLLERS?

We will only share your personal data (including your sensitive personal data) with the health care professionals and Consultant/s providing your private medical care at the Clinic for the purpose of fulfilling our legal obligations to you or as required by law.

7: TRANSFERS OF PERSONAL DATA OUTSIDE THE UNITED KINGDOM

For the most part, we do not transfer your personal data outside the United Kingdom. However, in the following limited circumstances, your personal data will be transferred outside the United Kingdom so that we can perform our contract with you and provide the medical services:

• it may be necessary to transfer your personal information (including your sensitive personal data) to another health care professional located outside the United Kingdom for the provision of further health care advice and treatment;

• our service provider Cemplicity provide some technical support services from New Zealand. Any personal data transferred or accessed in New Zealand shall be aggregated;

• Cemplicity’s sub-processors Twilio and Sendgrid are located in San Francisco, which will involve a transfer of your name, email address and mobile number to San Francisco; or

• if you are a patient from another jurisdiction visiting Northern Ireland (either for leisure of specifically for health care) and attend at the Clinic for treatment, we may transfer your personal data to your home jurisdiction once you leave the Clinic through any ongoing engagement.

MEASURES WE TAKE

• Whenever we transfer your personal data outside of the United Kingdom, we ensure a similar degree of protection is afforded by ensuring at least one of the following standards is implemented: we only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data (which includes EU countries and New Zealand); or

• where we use service providers, we use specific contracts approved for use in the United Kingdom which give personal data the same protection, or ensure they have entered such contracts with their sub-processors.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data outside the United Kingdom.

8: DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

9: DATA RETENTION

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or statutory reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

We shall retain your all health records collated during your treatment at the Clinic and which relate to your health records, which shall comprise Contact Data. Identity Data, Health Data and Sex Life Data (where applicable) for the following time periods, being the statutory retention periods for health records:

• Adult patients – 8 years from the date of last entry;

• Paediatric patients – until 25th birthday, or if the patient is 17 at the time of last entry, then to be retained until 26th birthday;

• Chemotherapy patients – 30 years or for 8 years if the patient has died.

Data relating to the payment of the services shall be retained for the following retention periods:

• Invoices and Private Medical Insurer details comprising Identity Data, Financial Data and insurance Data – 7 years;

• Private Medical Insurance remittances comprising Identity Data and Private Medical Insurance Data – 3 years; and

• Details of non-payors comprising Identity Data – until account has been paid.

10: RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION

INFORM US OF CHANGES

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your treatment.

YOUR RIGHTS

Under certain circumstances, you have rights under data protection laws in relation to your personal data. Under such laws, you have the right to:

• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below). Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you (if applicable) at the time of your request.

• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.

• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.

• Request the transfer of your personal data to another party.

If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our DPO.

WITHDRAWING CONSENT

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our DPO. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

‍