Data Protection Laws set out the obligations HCA UK has to you for the processing of your Personal Data. When we use or disclose your personal data we will comply with these Laws.
Your Personal Data is data which by itself or with other data available to HCA International Limited (HCA UK) can be used to identify you as an individual. HCA UK is the Data Controller. This Privacy Notice sets out how HCA will use your personal data. You can contact our Data Protection Officer (DPO) at 242 Marylebone Rd, Marylebone, London NW1 6JL, or at DPO@hcahealthcare.co.uk if you have any questions.
COVID–19 Data Protection Statement
During these unprecedented times, HCA Healthcare’s main priority is the health and safety of our patients, colleagues and the wider community as well as supporting the NHS in responding to the COVID-19 pandemic. We are supporting the NHS in responding to the COVID-19 pandemic and this will remain our focus for the foreseeable future.
As a result of these unique circumstances, HCA may need to share personal data with the NHS and other regulatory and government bodies for the purpose of supporting the response to the COVID-19 pandemic. Each of our hospitals is working in collaboration with their local NHS trusts to ensure we can provide the right help, exactly where and when it is needed and this may involve personal data being shared with us by the local Trusts. This will be done in accordance with data protection laws and will include any amendments to legislation made by the Secretary of State. We will also consider any guidance provided by the Information Commissioner’s Office.
When the NHS and its healthcare professionals provide your healthcare services at a HCA hospital, the privacy notice of the relevant NHS Trust may also apply.
Data Subject’s Rights
Due to the current circumstances, if you submit a Subject Access Request (SAR) or other Data Subjects Rights request, please be aware that you may experience a delay in us responding to your request. That’s because we will be diverting resources to help with other challenges and ensuring the ongoing healthcare and treatment of our patients.
At this current time we are unable to collect any correspondence sent via post. If you need to get in touch regarding a SAR or other information request, please contact us via email at DPO@HCAHealthcare.co.uk
The types of personal data we collect and use
We will use your personal data for the reasons set out below. We will collect most of this directly during the registration and/or admission process but there may be sources of personal data collected indirectly as set out later in this document. The personal data we use may include:
- Your name, address and contact details, including email address and home and mobile telephone numbers. If you provide these details, we may use them to contact you unless you ask us not to. This could include emails, text or voicemail messages;
- Date of birth and gender;
- Your previous and current medical health records whether provided by HCA UK or other third parties;
- The terms and conditions of your contract with us for the provision of healthcare and related services;
- Your bank account and national insurance number if you are a ‘self-pay’ patient or the financial information of the company or individual who is responsible for the payment of invoices/bills relating to your care (e.g. insurer, sponsor or Guarantor);
- We will take a swipe of your debit or credit card. We will let you know if we intend to take a payment from this card before we do so;
- Information about your marital status, next of kin, dependants nominated and/or emergency contacts;
- Information about your nationality and entitlement to treatment in the UK;
- Information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments;
- Information about medical or health conditions of your family;
- Information received in response to any surveys, complaints claims;
- Equal opportunity monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief; and
- Information about how you use our website.
- If you are employed by HCA UK we will also hold and process other information relating to your employment (You can obtain a copy of the Staff Privacy Notice from the HR team).
- If you are a Consultant/ Doctor or other healthcare provider you are not employed by HCA UK but we will also hold and process other information relating to the clinical services you carry out. (You can obtain further information from the facility CEOs or your clinical contact.
- This data may also include visual images, personal appearance and behavior e.g. where CCTV is used as part of our building security measures.
HCA UK may collect this information in a variety of ways. For example, data might be collected through Registration and Admission forms; obtained from your passport or other identity documents such as your driving licence; from pre-admission forms, online web forms completed by you at the start of your treatment; from correspondence with you; through the Admission and Registration process or through interviews, meetings or other assessments.
In some cases, the organisation may collect personal data about you from third parties, such as insurer providers, referral agencies, sponsors, checks permitted by law.
Providing your personal data
We will tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases, we need you to provide your personal data so we can provide care and treatment to you and receive payment for these services.
Monitoring of communications
Subject to applicable laws, we may monitor and record telephone calls, emails, text messages, social media messages and other communications in relation to our dealings with you. We will do this to ensure an appropriate standard of care, for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications networks and systems, to check for unlawful content, obscene or profane content, for quality control and staff training, and when we need to see a record of what has been said. We may also monitor activities on our network and systems where necessary for these reasons and this is for our legitimate interests or other legal obligations.
Using your personal data and the legal basis for processing
We will process your personal data under Article 6 (1)b; Article 9 (2)h of the General Data Protection Regulations. In addition HCA will rely one or more of the following basis when sharing personal data as part of our support work with the NHS during the COVID-19 pandemic:
- Legal obligation: the processing is necessary for compliance with a legal obligation Article 6 (1)(c) *
- Vital interests: the processing is necessary to protect someone’s life. Article 6 (1) (d)
- Public interest: the processing is necessary to perform a task in the public interest. Article 6 (e)
- Legitimate interests: the processing is necessary for an organisation’s legitimate interests or the legitimate interests of a third party Article 6 (1) (f)
When processing special category data for the purposes of;
- Employment, social security and social protection Article 9 (2)(b)
- Vital interests of the Data Subject Article 9 (2) (c)
- Substantial public interest Article 9 (2) (g)
- Provision of health or social care Article 9 (2) (h)
- Public interest in the area of public health such as protecting against serious cross border threats to health Article 9 (2) (i)
* This includes the Notice by Secretary of State under Reg 3(4) of Health Service Control of Patient Information Regulations issued 1st April 2020 allowing healthcare providers to share personal data and any other such notice that may be issued to support efforts against COVID-19.
We use your personal data to support the provision of your healthcare in the following ways:
- To support the provision of your healthcare;
- To decide how best to provide treatment to you;
- As necessary to support the healthcare contract with you and to allow us to receive full payment for those services;
- To take steps at your request during the course of your treatment;
- To keep your records up to date;
- We will process your personal data under Article 6 (1) f of the General Data Protection Regulations:
As necessary for our own legitimate interests or those of other persons and organisations;
- For good governance, accounting, and managing and auditing our clinical and business operations both internally and by third parties;
- For surveys of patient experience and quality of care;
- To monitor emails, calls, other communications, and activities on HCA networks and systems;
- For market research, other surveys and analysis and developing statistics for improving clinical performance; and
As necessary to comply with a legal obligation:
- When you exercise your rights under data protection law and make requests;
- For compliance with legal and regulatory requirements and related disclosures;
- For establishment and defence of legal rights;
- For activities relating to the prevention, detection and investigation of crime;
- To verify your identity, make credit fraud prevention and anti-money laundering checks; and
- To investigate complaints, legal claims and data protection or clinical incidents.
Based on your consent:
- With your next of kin or other nominated contact;
- If you ask us to disclose your personal data to other people or organisations such as a company handling a claim on your behalf; or otherwise agree to disclosures;
- With third parties including pharmaceutical companies and Universities and other research bodies for scientific research;
- When we process any special categories of personal data about you at your request (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation).
You are free at any time to change your mind and withdraw your consent. We will advise you if the consequence of doing so is that we cannot continue to provide full healthcare services to you.
Sharing of your personal data
Subject to applicable data protection laws we may share your personal data with:
- Consultants/Doctors and other healthcare professionals who provide treatment to you at our facilities;
- Other healthcare providers including your General Practitioner (GP) where we believe this will enhance the quality of your care. Let us know if you do not wish us to share information with your GP;
- The HCA group of companies and associated companies including entities in the United States;
- Sub-contractors and other persons who help us to provide healthcare products and services to you;
- Companies and other persons including interpreters providing services to you as part of your extended care and post care follow-up;
- Our legal and other professional advisors, including our auditors;
- Fraud prevention agencies, credit reference agencies, and debt collection agencies;
- Government bodies and agencies in the UK and overseas (e.g. HMRC who may in turn share it with relevant overseas tax authorities and with regulators including the Information Commissioner’s Office and Care Quality Commission (CQC);
- General Medical Council and other professional bodies;
- Courts, to com ply with legal requirements, and for the administration of justice;
- In an emergency or to otherwise protect your vital interests;
- To protect the security or integrity of our business operations and other patients;
- When we restructure or buy or sell our business or its assets or have a merger or re-organisation;
- Payment systems and providers; and
- Anyone else where we have your consent or as required by law
Sharing of your Personal Data during the Covid-19 pandemic
During the Covid-19 pandemic your personal data may also be shared for the following purposes:
- Understanding Covid-19 trends and risks to public health and controlling and preventing the spread of Covid-19
- Identifying and understanding information about patients or potential patients with or at risk of Covid-19 including patient exposure to Covid-19
- Management of patients with or at risk of Covid-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from Covid-19
- Understanding capacity and availability information about patient access to health services and adult social care services
- Monitoring and managing the response to Covid-19 by health and social care bodies and the Government including providing information (including workforce details) to the public about Covid-19
- Delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with Covid-19
- Research and planning in relation to Covid-19.
We will regularly review this privacy statement and its applicability throughout the COVID-19 outbreak. We may also notify you in other ways from time to time about the processing of your personal information.
Sharing of your personal data to contribute to the review and publishing of information about the quality and cost of privately funded healthcare
Subject to applicable data protection laws HCA Healthcare (HCA UK) is required to provide hospital performance data to the Private Healthcare Information Network (PHIN), which publishes information on the quality and cost of privately funded healthcare.
PHIN’s goal is to help patients make more informed choices about where to go for treatment.
The Private Healthcare Information Network (PHIN) is the independent, government-mandated source of information about private healthcare. PHIN operates with a legal mandate to work with all hospitals and consultants providing private healthcare across the whole of the UK. That mandate comes from the Competition and Markets Authority (CMA) and imposes a legal duty on hospitals and consultants to submit data to PHIN as the official Information Organisation (IO) for private healthcare.
The CMA’s Order is issued under the Enterprise Act 2002 and specifies 11 performance measures for PHIN to publish, by procedure, at both hospital and consultant level. These performance measures are also listed on PHIN’s website at media.phin.org.uk/about/our-mandate/. Section 167(2) of the Enterprise Act provides that, “Any person to whom such an undertaking or order relates shall have a duty to comply with it”.
On this basis. PHIN’s lawful bases for processing private patient data is Article 6(1)(c) of the GDPR: as due to the obligations under the CMA Order the lawful basis for the processing of personal data is “necessary for compliance with a legal obligation”. The same lawful basis applies to providers who have obligations under the CMA Order to disclose patient data to PHIN.
Publication will be made via the PHIN website in a format that will allow patients requiring hospital treatment and their doctors to search for local private hospitals by procedure and to compare how they perform in terms of quality and safety based on treatment data. Individuals are then able to make informed choices; which Consultant to see, which treatment option to follow, and at which hospital to be treated. This information will not be in a form where individuals can be identified.
The PHIN Privacy Notice can be found at www.phin.org.uk/footer/privacy-notice
Sharing NHS numbers
Your NHS number may be shared with PHIN as part of the process above. An additional reason for obtaining the NHS Number relates to HCA UK’s intention to access the UK Child Protection Information Sharing (CP-IS) system in order to facilitate the sharing of information between health and local authorities where a child may be at risk of being neglected, maltreated or abused.
HCA UK ensures all the information it holds is kept safe and confidential.
Sharing of your personal data for scientific research purposes
Subject to applicable data protection laws and your explicit written consent we may share your personal data for the purpose of scientific research.
Sharing of your personal data for marketing purposes
Subject to obtaining your written consent and communications preferences we may use your contact details to send you newsletters and other information on new Facilities, services and treatments which we think may be of interest to you. We will not sell your personal data to a third party without your written consent.
You are free at any time to change your mind and withdraw your consent. Please contact email@example.com. This will not affect the healthcare services we provide to you.
Sharing of your personal data in order to receive payment for your treatment from your Insurer, sponsor or guarantor
We will contact the individual or company including your insurer and provide them with the information necessary to support our invoices for payment and to ensure that we receive full payment for your care. We may also contact them prior to your care to confirm that the treatment you are about to receive is covered by them and they are willing to pay for your care. We will also provide information necessary to support any audits carried out by insurers and sponsors.
Your personal data may be transferred outside the UK and the European Economic Area. While some countries have adequate protections for personal data under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply to it. These include imposing contractual obligations of adequacy or requiring the recipient to subscribe or be certified with an ‘international framework’ of protection.
How long do we keep your data?
Information will be kept in accordance with the retention periods outlined in the Information Governance Alliance (IGA) Records Management Code of Practice for Health and Social Care (2016). Information may be held for longer periods where the following apply:
- Retention in case of queries. We will retain your personal data as long as necessary to deal with any queries you may have;
- Retention in case of claims. We will retain your personal data for as long as you might legally bring claims against us; and
- Retention in accordance with legal and regulatory requirements. We will retain your persona l data after you have received healthcare services at our Facilities based on our legal and regulatory requirements and obligations.
Your rights under applicable data protection law
Your rights are as follows (noting that these rights do not apply in all circumstances):
- The right to be informed about processing of your personal data;
- The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed;
- The right to object to processing of your persona l data;
- The right to restrict processing of your personal data;
- The right to have your personal data erased (the “right to be forgotten”);
- The right to request access to your personal data and information about how we process it;
- The right to move, copy or transfer your personal data (“data portability”) ; and
- Rights in relation to automated decision making including profiling
You may exercise these rights by contacting us on firstname.lastname@example.org
You have the right to complain to the Information Commissioner’s Office. It has enforcement powers and can investigate compliance with data protection law ico.org.uk.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
We have tried to cover all cookies in this list that we or our service providers use. Please be aware that there may be a delay in updating this list. If you do notice any discrepancies please be sure to let us know.
Category 2: performance cookies These cookies collect information about how visitors use our website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how our website works.
By using our website, you agree that we can place these types of cookies on your device.
Category 2: List of cookies
Name: Google Analytics
What they do: Google Analytics sets cookies to help us accurately estimate the number of visitors to the website and volumes of usage. This is to ensure that the service is available when you want it and fast.
Utma – this expires after 2 years
Utmb – expires after 30 mins
Utmc – session cookie which expires at the end of use
Utmz – expires after 6 months
_gid – unique cookie ID for user
_gat_tealium_0 – connects tag management to analytics
digitaldata_previous_page_cookie – stores the previous page visited
Name: Infinity Cloud
What they do: Infinity Cloud sets cookies to share a telephone number to a user that persists while the cookie is present. It also has capacity to record call audio. Both uses are to support statistical analysis of website use.
The duration of the following Infinity cookies is 10 years, unless you delete your browser history/cookies.
Category 3: functionality cookies
These cookies allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. For instance, a website may be able to provide you with local weather reports or traffic news by storing in a cookie the region in which you are currently located.
These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog.
The information these cookies collect are anonymised and they cannot track your browsing activity on other websites.
By using our website, you agree that we can place these types of cookies on your device.
Category 3: list of cookies
What they do: This cookie allows videos to be streamed through the website. It does not collect personal information about the user of a device.
This cookie expires after 1 year
Removing and disabling cookies
If you do not wish to accept cookies on to your machine you can disable them by adjusting the settings on your browser. However this will affect the functionality of the websites you visit. For more help on how to disable your cookies or delete them visit www.aboutcookies.org.
Content management and responsibility
HCA International Limited, “HCA UK”, and the hosts of this website, accept no responsibility for, and exclude all liability in connection with browsing this website, use of information on this website and downloading any material from it, including, but not limited to, any liability for errors, inaccuracies, omissions or misleading or defamatory statements.
Although every reasonable effort is made to ensure that files are free of defects and viruses, there are no guarantees that they are free from defects or computer viruses. Therefore, no warranty or guarantee is given by HCA UK, regarding files downloaded or accessed through HCA UK’s website or through a link accessed via HCA UK’s website.
This website is intended to enable information relevant to the work of HCA UK, to be freely available on the World Wide Web. Whilst HCA UK hopes you find this website interesting and informative, the contents are for general information only. HCA UK believes the contents to be true and accurate as at the date of writing, but can give no assurances or warranties regarding the accuracy, currency or applicability of any of this website’s contents. As such, the contents of this website should not be relied upon. In addition, none of the content of this website will form any contract between HCA UK and any user of the website, nor constitute any offer by HCA UK. The use of and access to pages of the HCA UK website is subject to the foregoing disclaimer, and the terms and conditions set out below. By using or accessing this website, you agree to be bound by these terms and conditions.
HCA UK shall not be liable for any loss or damage howsoever arising in connection with the content of the website. HCA UK does not guarantee that the website will be error-free, omission-free, uninterrupted or without delay.
Whilst HCA UK makes all reasonable attempts to exclude viruses from the website, we cannot guarantee that the website will be virus free and accept no liability in the unlikely event that the website is not virus free.
Users are recommended to take appropriate safeguards before downloading information from this website.
Access to information
HCA UK will not share your confidential information with anyone outside of HCA UK. You are prohibited from posting or transmitting, to and from, the website any unlawful, threatening, defamatory, obscene, and pornographic or other material which would violate any law.
Unless otherwise specified, the materials on this website are directed solely at those who access this website from the United Kingdom mainland. HCA UK makes no representation that any information, product or services referred to in the materials on this website are appropriate for use, or available, in other locations. Those who choose to access this website from other locations are responsible for compliance with local laws if and to the extent local laws are applicable.
Although the website has been tested and should work correctly under normal circumstances, there are many factors both within and outside of the control of HCA UK, which may prevent the website from being available. No responsibility is accepted by HCA UK, for any losses howsoever caused that may arise from an inability to access or to access resources through its website. If you find any errors within the HCA UK website, including links that do not work, pages linked to the wrong document and out of date information, please email the HCA Healthcare UK digital team.
We are committed to respecting and protecting your privacy when we deal with your personal information. The following privacy notice gives you details on the information we collect about you, how we protect and use it, and your rights. If you have any questions about how we use your information, please email us at DPO@hcahealthcare.co.uk.
You can pick up a copy of this Privacy Notice from Reception at our Facilities or download a copy of our Privacy Notice here.
Further information can be provided from our Data Protection Officer on DPO@hcahealthcare.co.uk
This Notice may be translated into other languages on request.
Last updated: April 2020