PROFESSOR DAVID BARRETT LTD – PRIVACY NOTICE
INTRODUCTION AND DEFINITIONS
Professor David Barrett Ltd (“we“, “our” and “us“) is committed to protecting and respecting your privacy.
Our site may, from time to time, contain links to and from third party sites. If you follow a link to any of these websites, please note that these sites have their own privacy policies and that we do not accept any responsibility or liability for those policies. Please check their privacy policies before you submit any personal data to those websites as they may not be on the same terms as ours.
If you have questions about correcting or deleting your personal data please refer to sections 3 and 9 below.
References in this policy to “data protection law” mean (as applicable) the Data Protection Act 1998, the General Data Protection Regulation (Regulation (EU) 2016/679) and all related data protection legislation having effect in the United Kingdom from time to time.
References in this policy to “data or “information” include “sensitive personal data” and “special categories of data” (as defined under data protection law) where applicable.
- Our details
- The data controller with conduct of your personal information is Professor David Barrett Ltd whose company number is 5872115 and whose registered office is at Thorne House, 1a The Avenue, Tiverton, Devon EX16 4HR. Our principal place of business is the Spire Southampton Hospital, Chalybeate Close, Southampton SO16 6UY.
- Our data protection officer is Bernice Allison of Spire Southampton Hospital, Chalybeate Close, Southampton SO16 6UY.
- How we use your information
- The following sections explain what information we hold about you, why we are processing that information, the legal basis for the processing, the duration for which we keep your information and (if applicable) who your information will be shared with and where those recipients are based.
- Which information do we process and for what purpose?
- We process the following information from you:
- Information you give us. This is information about you that you give us by filling in forms on our site, our initial consultation form, or correspond with us in writing, by email, over the phone or via social media. The information you give us may include your name, address, email address, phone number, date of birth, NHS number, GP’s name and address and details of your medial insurance (if applicable). We also receive bank and/or credit/debit card details from patients.
- Information you give us will include “special categories” of more sensitive personal information. This will include information about your former and current health, including healthcare you have received from other healthcare providers and which may include details of clinic and hospital visits, as well as medicines administered.
- We process information you give to us for the following purposes:
- to provide you with medical treatment and any other services ancillary to your treatment with us;
- administer our site and business;
- send statements, invoices and payment reminders to you and collect payments from you;
- maintain our business records, monitor outcomes and respond to any complaints.
- Information we collect about you. Like most other website operators, we collect non-personally identifying information of the sort that web browsers and servers typically make available. This includes technical information, such as your IP address and your login information and information about your visit, such as records of how you navigate the pages on our site and how you interact with the pages.
- We process information we collect about you for the following purposes:
- to allow us to administer the account you hold with us;
- to improve our services; and
- to ensure that content from our site is presented in the most effective manner for you and for your device.
- Information obtained from or provided by third parties. We receive information about you:
- including your medical records and other information about your health and previous medical treatment (which is special category data) from other health care professionals, including but not limited to, your GP and other clinicians and consultants. Medical records include information about your diagnosis, clinic and hospital visits and medicines administered;
- from your family or other representatives; and
- from your insurance policy provider (if applicable).
- We process information we obtain from or are provided by third parties to provide you with medical treatment and any other services ancillary to your treatment with us.
- What are the grounds for processing your information?
- We are processing your data on the following grounds:
- you have consented to the processing for the purposes stated in section 2, above;
- the processing is necessary for the performance of the contract for the provision of medical treatment between you and us. This includes where you have instructed us to take some pre-contractual steps prior to us formalising the contract. Such processing is conducted subject to obligations of professional confidentiality;
- the processing is necessary for us to comply with our legal obligations;
- the processing is necessary for achieving our legitimate interest of operating as a private knee surgery specialist. In accordance with data protection law, we have carefully weighed your interests and fundamental rights and freedoms against our interest to process your information and are satisfied that we are justified in processing your information for this purpose.
- processing is necessary for the establishment, exercise or defence of legal claims;
- in relation to special category data – the processing is necessary to protect your vital interests where you are physically or legally incapable of giving consent; and
- in relation to special category data – the processing is necessary for the provision of health care pursuant to a contract with a health professional.
- Duration and further processing
- We only keep your information for so long as it is reasonably necessary. When setting our data retention periods, we consider the amount, nature, and sensitivity of the information we hold, the potential risk of harm from unauthorised use or disclosure of the information and the purposes for which we process the information (including whether we can achieve those purposes by other means). We also take into account our other legal obligations to keep or securely dispose of personal information.
- Generally speaking, we retain your information for 8 years in line with our legal obligations. If we need to keep your information for a longer period then we will notify you of the reason and grounds for doing so and we will regularly review the duration of these longer periods of retention.
- Who is your information shared with?
- In order to achieve the purpose(s) set out in section 2 above, we may share your data with the following people or group of people:
- Your GP and other clinicians, consultants and physiotherapists in relation to your medical treatment and care. If you do not wish us to share information about your treatment with your GP, please let us know;
- Your insurance policy provider (if applicable);
- Family members or other representatives that you consent to us speaking to about your treatment;
- Our outsourced IT providers may have access to your personal data on our IT systems if such access is required to enable them to resolve problems with our systems. Typically, your personal information will be encrypted before it is transferred to our hosts but in certain circumstances they may require access to unencrypted data, for example when we need to troubleshoot an issue with your account on our computer system. Our IT providers are subject to strict contractual obligations to treat your personal information with the utmost sensitivity, to keep it confidential and to comply with data protection law at all times;
- We may provide personal data to our legal advisers or other professional advisers, if necessary to defend claims, protect our rights, or receive advice on compliance with the law. Such transfers will be protected by confidentiality obligations owed by our advisers; and
- We may share anonymised, pseudonymised and non-personal information with sub-contractors engaged by us to help us operate our site or to analytics and search engine providers that assist us in the improvement and optimisation of our site.
- To the best of our knowledge, understanding and belief, your information will not be transferred outside of the European Economic Area or to any country which is not approved by the European Commission. If this changes then we will let you know.
- We may contact you in a range of ways, including by telephone, SMS, email and/or post. When contacting you by telephone, we will usually ring your mobile number (if supplied to us) in preference to a landline and leave a voicemail if necessary. If we do call your landline and need to leave a message, we will include only sufficient basic details to enable you to identify who the call is from, very limited details as to the reason for the call and how to call us back.
- We will ask you on our initial patient form if there are any family members or other persons, you are happy for us to discuss your treatment with. If you name such persons on this form then you are consenting to us speaking to them about your treatment and related matters.
- Your rights
- Under data protection law you have the following rights:
- if we are processing your data on the basis of your consent then you have the right to withdraw that consent at any time. Consent can be withdrawn by notifying us using the details set out in section 9 The lawfulness of our historic processing based on your consent will not be retrospectively affected by your withdrawal of consent;
- the right to access a copy of your information which we hold. This is called a ‘subject access request’. Additional details on how to exercise this right are set out in section 6, below;
- the right to prevent us processing your information for direct marketing purposes. Please note that we do not currently process your information for this purpose;
- the right to object to decisions being made about you by automated means. Please note that we do not make automated decisions about you based on your information;
- the right to object to us processing your personal information in certain other situations;
- the right, in certain circumstances, to have your information rectified, blocked, erased or destroyed if it is inaccurate; and
- the right, in certain circumstances, to claim compensation for damages caused by us breaching data protection law.
- From 25 May 2018 you will have the following additional rights under data protection law:
- enhanced rights to request that we erase, rectify, cease processing and/or delete your information; and
- in certain circumstances, the right to request the information we hold on you in a machine readable format so that you can transfer it to other services. This right is called ‘data portability’. Additional details on how to exercise this right are set out in section 6, below.
- You also have the general right to complain to us (in the first instance) and to the Information Commissioner’s Office (if you are not satisfied by our response) if you have any concerns about how we hold and process your information. Our contact details are set out in section 9, below. The Information Commissioner’s Office website is ico.org.uk.
- For further information on your rights under data protection law and how to exercise them, you can contact Citizens Advice Bureau (citizensadvice.org.uk) or the Information Commissioner’s Office (www.ico.org.uk).
- We use only session cookies on our site.
- The names of the cookies that we use on our site, and the purposes for which they are used, are set out below:
we use easy_eu_cookie_law on our website to personalise the site for each user.
We use Google Analytics to analyse the use of our website.
Our analytics service provider generates statistical and other information about website use by means of cookies.
The analytics cookies used by our website have the following names: _ga, _gat, __utma, __utmt, __utmb, __utmc, __utmz and __utmv.
The information generated relating to our site is used to create reports about the use of our site.
Most browsers allow you to refuse to accept cookies; for example:
(a) in Internet Explorer (version 11) you can block cookies using the cookie handling override settings available by clicking “Tools”, “Internet Options”, “Privacy” and then “Advanced”;
(b) in Firefox (version 39) you can block all cookies by clicking “Tools”, “Options”, “Privacy”, selecting “Use custom settings for history” from the drop-down menu, and unticking “Accept cookies from sites”; and
(c) in Chrome (version 44), you can block all cookies by accessing the “Customise and control” menu, and clicking “Settings”, “Show advanced settings” and “Content settings”, and then selecting “Block sites from setting any data” under the “Cookies” heading.
Blocking all cookies will have a negative impact upon the usability of many websites.
If you block cookies, you will not be able to use all the features on our site.
You can delete cookies already stored on your computer; for example:
(a) in Internet Explorer (version 11), you must manually delete cookie files (you can find instructions for doing so at http://windows.microsoft.com/en-gb/internet-explorer/delete-manage-cookies#ie=ie-11);
(b) in Firefox (version 39), you can delete cookies by clicking “Tools”, “Options” and “Privacy”, then selecting “Use custom settings for history” from the drop-down menu, clicking “Show Cookies”, and then clicking “Remove All Cookies”; and
(c) in Chrome (version 44), you can delete all cookies by accessing the “Customise and control” menu, and clicking “Settings”, “Show advanced settings” and “Clear browsing data”, and then selecting “Cookies and other site and plug-in data” before clicking “Clear browsing data”.
Deleting cookies will have a negative impact on the usability of many websites.
- ACCESS TO INFORMATION
- Under data protection law you can exercise your right of access by making a written request to receive copies of some of the information we hold on you. You must send us proof of your identity, or proof of authority if making the request on behalf of someone else, before we can supply the information to you. Requests should be sent to us using the contact details in section 9 below.
- From 25 May 2018 you will:
- no longer have to pay a £10 fee unless you are requesting copies of documents you already possess, in which case we may charge our reasonable administrative costs. We will also be allowed to charge you for our reasonable administrative costs in collating and providing you with details of the requested information which we hold about you if your request is clearly unfounded or excessive. In very limited circumstances, we are also entitled to refuse to comply with your request if it is particularly onerous; and
- in certain circumstances, be entitled to receive the information in a structured, commonly used and machine readable form.
- Data security
- We will always store your digital information on secure servers. Unfortunately, however, the transmission of information via the internet is not completely secure. Although we will do our best to protect your information, we cannot guarantee the security of your information transmitted to our site or otherwise to our servers (such as by email). Any such transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.