Last updated: 25-May-18
PDF versions of our Privacy and Cookie notices are available below.
Privacy and cookie notice – 25 May 18
NOTE: this privacy notice applies to patients, employees, suppliers and website visitors or interested persons.
- Introduction and summary
1.1. Introduction
Thanks for reading our privacy notice. It tells you how we collect, use and share your personal information and what your rights are – and how to exercise them.
There are a couple of technical definitions to get out of the way first. Here they are.
By “personal information” we mean personal data as defined in UK data protection law. In general, it means any information relating to you, which identifies you or allows you to be identified. That may be your name, an ID number, location, an online identifier or factors specific to you (e.g. physical, physiology (thoughts, feelings), genetic, mental, economic, cultural or social factors).
By “sensitive” personal information we mean two things: 1. what’s technically known as “special categories” (personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation) and 2. criminal data (criminal offences or related security measures, including the alleged commission of offences, proceedings for an offence committed or alleged to have been committed or the disposal of those proceedings, including sentencing).
For ease, we’ve split this privacy notice up into parts:
Part 1: Introduction and summary
Part 2: Important information about your rights in relation to consent and to object to our use of your personal information
Part 3: Key information required by the GDPR
Part 4: Cookies and similar technologies
If you have any queries about this privacy notice, please contact us. Please see “Our identity and contact details” in section a of “Key information required by the GDPR” below for our contact details.
1.2. Summary
| Type of individual | Our main uses of your personal information | Where to find out more |
| Patients: | · If you are a private patient, to enter into a contract with you and to provide agreed healthcare services to you
· If your club/employer is entering into a contract with us, for the legitimate purpose of providing healthcare services to you, as agreed with your club/employer · To keep accounts and records.
|
How to withdraw your consent or object to our use (where applicable)
Look in Part 2. It tells you how to withdraw any consent you’ve given (see section j as well) and how to object to both direct marketing and to our use where it’s based on a balancing test (called “legitimate interests”) which involves weighing our interests or a third party’s interests against your rights. Other information Look in Part 3; here’s what’s in the different sections. · Section a: our contact details · Section c: the purposes and legal basis for our use of your personal information · Section d: the legitimate interests often underpinning our use of your personal information · Section e: the types of personal information we may get from someone other than you · Section f: third parties with whom we may share your personal information · Section g: transfers (exports) of personal information · Section h: storage periods · Section i: your GDPR rights · Section j: withdrawing consent · Section k: complaints to the ICO · Section l: information you must provide (either by law or under a contract) · Section m: sources of personal information (where you aren’t the source). · Section n: automated decisions |
| Employees: | · To manage our employment relationship with you.
· To keep accounts and records. |
|
| Suppliers | · To manage our supplier relationship with you.
· To keep accounts and records. |
|
| A website visitor or interested person | · Unless you fill in a form or contact us in some other way, we probably can’t identify you.
· Please note that we use Vimeo to embed videos onto our site.
|
Look in Part 3:
· Section a: our contact details · Section i: your GDPR rights · Section k: complaints to the ICO |
- Important information about your rights in relation to consent and to object to our use of your personal information
| Your rights in relation to consent: Where you’ve given us explicit consent to use your sensitive personal information, you may withdraw it at any time.
We ask for explicit consent to: · Disclose your diagnostic testing results to your referring clinician. · Disclose your cardiac screening results to your GP and/or, if you are under 18, to your parent. · Disclose your cardiac testing results to your club/employer. To withdraw your consent, please contact us. We will rely on your browser settings to indicate your consent to the use of cookies on our website. To withdraw your consent, please adjust your browser settings. Please see “Cookies and similar technologies” below for instructions. Please see: · section a in “Key information required by the GDPR” below for our contact details · section c in “Key information required by the GDPR” below for further details of where we rely on your consent · section j in “Key information required by the GDPR” below for further details of your right to withdraw consent, and · “Cookies and similar technologies” below for information about cookies and similar technologies used on this site. |
| Your right to object to our use of the “legitimate interests” basis for processing: You may, at any time, object to our use of your personal information which is based on our legitimate interests, as summarised below.
we consider that our use of your personal information for: · Business operation and improvement · Patient relationship management · Employee relationship management · Supplier relationship management · Network and information security · Reporting possible criminal acts/threats to competent authorities is in our legitimate interests. You may object to our use on that basis. To exercise your right, please contact us. Please see: · section a in “Key information required by the GDPR” below for our contact details · section d in “Key information required by the GDPR” below for further details of our reliance on the legitimate interests basis for processing, and · section i in “Key information required by the GDPR” below for further details of your right to object. |
- Key information required by the GDPR
Here are important details about us and our use of your personal information.
| Requirement | Our details | ||
| a. Our identity and contact details
Identity and contact details and, where applicable, of the representative |
HeartScan Limited
Registered office: 28 Mulgrave Terrace, Gateshead, Tyne and Wear, NE8 1PQ Main clinics: The Osborne Clinic, 22 Osborne Avenue, Jesmond, Newcastle upon Tyne, NE2 1JQ Telephone: 0191 646 1066 Fax: 0191 247 5885 Email: info@heartscan.co.uk We are registered as a controller with the Information Commissioner. Our registration number is ZA071423. |
||
| b. Data protection officer and queries
Contact details of the data protection officer, where applicable |
We do not have a data protection officer. For queries, comments or complaints please our contact details are in the “Identity and contact details” section a above. | ||
| c. Purposes and legal basis
The purposes of the use for which the personal information is intended as well as the legal basis for the use Here’s a key to the second column: Consent: your consent to one or more specific purposes Contract: entering into a contract with you or performing a contract with you Legal obligation: we’re required by law to do this Vital interests: to protect your own or another individual’s vital interests (e.g. life or death situation) Legitimate interests: we’ve identified this as a legitimate interest of ours or a third party; we consider that use of your personal information is necessary to achieve that legitimate interest; and we’ve balanced all that against your interests, rights and freedoms The third column gets a bit more technical. Where we’re dealing with sensitive personal information we need not one legal basis but two, from a different list (and the list is a lot longer). The main ones are: Explicit consent: your explicit consent to one or more specific purposes Health or social care: provision of healthcare or management of healthcare systems Legal claims: to establish, exercise or defend a legal claim Vital interests: that’s the same as column 2 except it has to be where the individual is incapable (physically or legally) of giving consent. Archiving, research and statistics: this must be in the public interest; data must be minimised, and anonymised or at least pseudonymised; the activity mustn’t cause substantial distress or damage to individuals and mustn’t relate to a particular individual except for approved research You can find more details on the ICO website at https://ico.org.uk |
Here is a summary of the purposes for which we use personal information and the legal bases for our use. | ||
| Our purposes | Legal basis (all personal information) | Additional legal basis (sensitive personal information) | |
| To enable us to provide healthcare services for patients | · Consent
· Contract · Vital interests · Legitimate interests
|
· Explicit consent
· Vital interests · Legal claims · Health or social care |
|
| To support and manage our employees
|
· Contract
· Legal obligation · Vital interests · Legitimate interests |
· Employment, social security and social protection law
· Vital interests · Legal claims · Health or social care |
|
| To manager our suppliers | · Legitimate interests | · Legal claims | |
| To analyse data and produce reports for business planning and management | · Legitimate interests | · Legal claims
· Archiving, research and statistics |
|
| d. Legitimate interests
Where the use of information is based on the legitimate interests condition, the legitimate interests pursued |
Our legitimate interests
Our legitimate interests are: · Business operation and improvement – operating and improving our business · Patient relationship management – looking after our patients · Employee relationship management – managing and training our employees · Supplier relationship management – managing our suppliers · Network and information security – securing our systems · Reporting possible criminal acts/threats to competent authorities – if and when the need arises. |
||
| e. Personal information collected indirectly – categories
The categories of personal information collected indirectly |
We collect the following categories of personal information indirectly (e.g. from third parties):
· Your health data, from your referring clinician if you are a patient referred for diagnostic testing and consultation services. · Your name, age, medical history and details of previous medical test results, from your club/employer, where we’re providing services to a club. · Your policy number, authorisation numbers for proceeding with tests/care and invoice payment notification and any notification of shortfall due to policy restrictions, from your insurer, if your insurer is paying for your treatment. · Your reference, from your referee, if you are a prospective employee. |
||
| f. Recipients
The recipients or categories of recipients of the personal information, if any |
We may share your personal information with:
· Your insurer, if they are paying for your treatment (we will not share any test results, just your personal details, insurance policy details and a list of tests/consultations performed with dates). · Your referring clinician, if you explicitly consent to them receiving your diagnostic test results. · Your GP or (if you are under 18) your parent, if you explicitly consent to them receiving your cardiac screening results. · Your club/employer or (if you are under 18) your parent, if you explicitly consent to them receiving your cardiac testing results. · A third party postal service (just your name and address, for delivery). · Legal advisers (for legal advice and claims). · Another business, in connection with any merger or acquisition with them. We will not otherwise disclose your personal information to a third party unless required or permitted to do so by law. |
||
| g. Transfers outside of the European Economic Area (EU member states, Norway, Iceland and Liechtenstein) (EEA)
Where applicable, the fact that personal information is to be transferred to a third country or international organisation and the existence or absence of an adequacy decision by the European Commission, or in the case of transfers subject to appropriate safeguards or non-repetitive, limited transfers based on compelling legitimate interests, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available. |
Our transfers
We do not transfer any personal information to third countries or international organisations. All personal information is stored in the UK and/or in the European Economic Area.
|
||
| h. Storage period
The period for which the personal information will be stored, or if that is not possible, the criteria used to determine that period |
The period for which we will store patient records is based on guidelines provided by our insurers and on the NHS records management code of practice for health and social care, namely:
· For patients who were under the age of 17 at the date on which the last treatment was concluded, until that patient’s 25th birthday · For patients who were aged 17 at the date on which the last treatment was provided, until that patient’s 26th birthday · For patients who died before the age of 18, for a period of 8 years beginning from the date of the patient’s death · All other cases, a period of 8 years beginning on the date of the last entry in the patient records. At that point, the record will be reviewed and destroyed if no longer needed. We store employee data and supplier data for up to 7 years after the end of the employee/supplier relationship, to protect our business against legal claims. At that point, the data will be reviewed and destroyed if no longer needed. |
||
| i. Individual rights
The existence of the right to request access to and rectification or erasure of personal information or restriction of use concerning the individual or to object to use as well as the right to data portability |
You have rights to make a request to us:
· for access to your personal information · for rectification or erasure of your personal information · for restriction of processing concerning you · to object to our processing which is based on legitimate interests · to object to direct marketing (we don’t currently carry out direct marketing) · to object to archiving in the public interest, research and statistics · to port (transfer) personal information you have provided to us, either to you or to another provider. These rights are more complicated than the simple summary above. To find out more about them, please visit the Information Commissioner’s website. To exercise your rights, please contact us. Our contact details are in the “Identity and contact details” section a above. Please make it clear which right(s) you want to exercise, for example by putting the name of the right in the subject line of the email. Thank you. You may also exercise your rights by completing the website contact form and selecting the “data protection rights” option. We will then get in touch. |
||
| j. Withdrawal of consent
Where the use is based on consent (for ordinary or sensitive personal information), the existence of the right to withdraw consent at any time, without affecting the lawfulness of use based on consent before its withdrawal |
You have a right to withdraw any consent you give us at any time.
This will not affect the legality of our consent-based use before you withdrew consent. To withdraw consent to cookies, please adjust your browser settings (please see our cookie policy for further details). To exercise your right to withdraw in any other case, please contact us. Our contact details are in the “Identity and contact details” section a above. You may also withdraw consent by completing the website contact form and selecting the “data protection rights” option. We will then get in touch. |
||
| k. Complaints
The right to lodge a complaint with a supervisory authority |
You have a right to complain to the Information Commissioner, whose contact details are:
Information Commissioner’s Office Telephone: 0303 123 1113 (local rate) or 01625 545 745 (national rate). Website: https://ico.org.uk which sets out email addresses and an email form. |
||
| l. Information collected directly – legal or contract requirement
Whether the provision of personal information is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal information and of the possible consequences of failure to provide that information |
There are no statutory requirements to provide us with personal information.
For private patients, it is a contract requirement that you complete the registration forms and (for screening) any healthcare questionnaires, fully and accurately. If you are a supplier or prospective employee or website visitor who makes an enquiry, we’ll normally need your personal details (name and contact details) to receive goods and services, process your application or answer your query. For suppliers and prospective employees, we may also need your financial details (e.g. bank details and VAT number where applicable) so we can pay you. |
||
| m. Sources of personal information collected indirectly
The source of the personal information and if applicable, whether it came from publicly accessible sources |
Please see section e (categories of information collected indirectly) above. | ||
| n. Automated decision-making
The existence of automated decision-making, including profiling. This means a decision based solely on automated profiling which produces legal effects concerning the individual, and which must not be based on special categories of (i.e. sensitive) personal information without explicit consent or substantial public interest, with safeguards. Meaningful information about the logic involved, as well as the significance and the envisaged consequences of the processing for the individual must also be provided. |
We do not conduct automated decision-making. All decisions about you will be made by humans.
|
||
- Cookies and similar technologies
When you visit our site, third party sites will place a small amount of information on your device, for example, your computer, laptop, tablet or mobile phone. This information consists of small files known as ‘cookies’.
Some third party sites will also use pixels (also known as clear gifs, web beacons or web bugs) in conjunction with cookies. Pixels are code used on a web page or in an email notification. They are used to learn whether you’ve interacted with certain web or email content. This helps to measure and improve services and personalise your experience. You cannot delete pixels but you may be able to turn off features using this technology through the third party’s site and account settings.
We have listed those third party cookies at the end of this policy. They are set by Vimeo, which we use to embed videos onto our site. Please see https://vimeo.com/cookie_policy for details of Vimeo’s use of cookies and other user tracking technologies.
In some browsers, our site will create local storage and session storage as well as cookies. Local storage and session storage are another type of file placed on your device that can hold data. They will often appear when a website has video or audio content.
You can delete local storage and session storage in the same way that you delete cookies.
Most web browsers allow some control of most cookies through the browser settings.
Third party software tools can also be used to block or restrict certain cookies and tracking technologies.
Please be aware that restricting cookies may impact on the functionality of our site, particularly the videos.
To find out more about cookies, including how to see what cookies and other technologies have been set and how to manage and delete them, please visit http://www.allaboutcookies.org/ and http://www.youronlinechoices.com/.
List of cookies
| Description | Name of cookie | Expiry |
| Set by our site: | ||
| Cookie banner accepted | catAccCookies | 1 month |
| Set by player.vimeo.com: | ||
| Google analytic cookies for video usage.
These cookies are used by Vimeo to track information about how the Vimeo service is being used, so Vimeo can make improvements and report on performance. Click here for an overview of Privacy at Google See also: https://vimeo.com/cookie_policy and |
_utma | 2 years |
| _utmb | 30 mins | |
| _utmc | end of session | |
| _utmt_player | 10 minutes | |
| _utmv | expires immediately | |
| _utmz | 6 months | |
| Set by vimeo.com: | ||
| Vimeo Analytics unique id.
See: https://vimeo.com/cookie_policy and |
_vuid | 2 years |