Mr William Flannery BM FRCS(ORL-HNS) MFMLM
This notice is designed to inform you of the type of information that I collect and hold about you in the course of providing you with private medical care. It will also tell you what I do with the information I collect, how I will look after it and with whom I might share it. It covers information I collect directly from you or which I may receive from other individuals or organisations. This Privacy Notice also sets out your rights in respect of your personal information, and how to exercise them. You can, for instance, seek access to your medical information, object to particular ways your information may be used and you can request rectification of any information which is inaccurate or the deletion of information which is no longer required (subject to certain exceptions). This Privacy Notice does not provide exhaustive detail. However, I am happy to provide any additional information or explanation as needed. If you would like further information about any of the matters in this Privacy Notice or have any other questions about how I collect, store or use your personal information, please contact me using the details below.
If you would like this notice in another format, such as Braille, audiotape, large print or another language, please contact me, again, using the contact details on my website and correspondence.
2. Who I am and what I do
In this Privacy Notice the use of “I” “me” or “mine” refers to your treating clinician Mr William Flannery and will also include the actions of any Medical Secretary or other staff acting under my instruction.
Under the terms of the EU General Data Protection Regulation (GDPR), I am known as a “Data Controller” and a “Data Processor”. This means that I am legally responsible for ensuring that all personal information that I process about you is done in compliance with data protection laws. All Data Controllers must notify the Information Commissioner’s Office of all personal information processing activities. My ICO registration number is ZA053927 and my entry can be found in the Data Protection Register on the Information Commissioner’s Office website.
3. How to contact me
If you have any queries or concerns about how I handle your personal information or about the content of this Privacy Notice, please contact me by:
- Telephone: 0118 207 7397
- E-mail: firstname.lastname@example.org
- Post: Circle Reading Hospital, 100 Drake Way, Reading, Berks RG2 0NE
4. How I work
I will provide your treatment from Circle Reading Hospital and consequently, there may be occasions when it is necessary for Circle Reading Hospital to also process your personal data (for example, when admitting you to the hospital for treatment or when arranging nursing or additional care and treatment). Your information will only be processed as required by the Data Protection laws of the UK. Where this does become necessary, Circle Reading Hospital will become a joint Data Controller in respect of your personal information and they will provide you with a copy of their own Privacy Notice at that point, which sets out how they will manage your personal information.
5. Personal Information I hold about you
When I refer to “personal data” in this policy, this refers to information that can or has the potential to identify you as an individual. When I refer to ‘processing’ your personal information, this covers any use of your personal information, including but not limited to accessing, storing and disseminating information. I may also use “special categories of personal information” about you, which could include information relating to your physical and mental health.
When you request treatment from me and become my patient, the personal information I may then need to hold about you may include the following:
- Contact details, such as postal address, email address and telephone numbers
- Financial information, such as credit card details used to pay us
- NHS Number
- Family details including next of kin
- GP and referral details
- Visual images, for example CCTV images as part of building security
- Responses to surveys or questionnaires
- Correspondence relating to a complaint or claim
- Your specific information requirements
Special categories of information relating to your medical treatment must be handled even more sensitively than your personal information. The special categories of personal information I may hold and process about you may include the following:
- Details of your current or former physical or mental health. This may include information about any healthcare you have received (both from me directly and other healthcare providers such as your GP or hospitals (private and/or NHS)) and details of medicines previously and currently taken.
- Details of other services you have received from me
- Details of your lifestyle and social circumstances
- Details of your nationality, race and/or ethnicity
- Details of your religion
- Details of any genetic data or biometric data relating to you
- Data concerning your sex life and/or sexual orientation.
6. How I collect your information
There are a number of ways in which I may collect your personal information. It may be collected directly from you when:
- You enter into a contract with me for the provision of healthcare services
- You use those services
- You correspond with me by letter, email, telephone or social media
- You complete enquiry forms on my website.
In order to provide you with the best treatment possible, I may need to collect your medical records including information about any diagnosis, clinic and hospital visits and medicines administered. This information may be provided by other individuals and organisations, including:
- Hospitals, both NHS and private
- Commissioners of healthcare services
- Other Private providers of healthcare (including their medical secretaries).
Information about you may also be provided to me from other sources as relevant to your treatment. These third parties may include:
- Your insurance policy provider
- Your current or former employer
- Your family
- External medical experts
- NHS health service bodies
- Credit reference agencies
- Debt collection agencies
- Government agencies, including the Ministry of Defence, the Home Office and HMRC.
7. How will I protect your privacy
I am committed to protecting your privacy and will only process personal information in accordance with the EU General Data Protection Regulation, the Human Rights Act 1998 and the common law duty of confidentiality.
All information that I hold about you will be held securely and confidentially. I use clear administrative and technical controls to do this. Both I and any staff working for me have undertaken appropriate levels of Information Governance training to ensure that we have the correct skills and understanding to look after any information you provide to the highest standards of confidentiality and security. Additionally, all staff at Circle Reading hospital, any contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
I will only ever use the minimum amount of information necessary about you to provide you with treatment and healthcare. Wherever possible, I will use information that does not directly identify you, however, where it is necessary for me to know or use personal information about you, I will only do this where I have an appropriate legal justification for doing so.
Where my staff or the staff of Circle Reading hospital need to access your clinical record (for example, my secretary will need to see your record in the process of typing up correspondence or where medical queries are being followed up) they will only access the necessary information and will follow the strictest rules of confidentiality and data protection. My medical secretaries are required to sign a confidentiality agreement and are bound by their contract of employment which does not allow them to disclose any information about your health care to anyone unless it is with another clinical team for the purpose of your health care.
I will not divulge your record to any other patients or family members, except in the case of children under 12, where applicable, unless you give me permission to do so. Some patients do prefer a family member or friend to act on their behalf. If you wish for someone else to act on your behalf please me know and I will make arrangements with you for this to take place. You can withdraw this consent at any time but you must let me know immediately if you no longer wish for me to discuss your health with the nominated person.
8. How I will communicate with you
I need to communicate with you in order to provide you with healthcare services. I or my secretary may contact you by telephone, SMS, email, and/or post.
In order to provide you with timely updates and reminders in relation to your healthcare, I may communicate with you by telephone, SMS and/or email (where you have provided me with your telephone number and/or email address).
To provide you with your medical information (including test results and other clinical updates) and/or invoicing information, I may communicate with you by email where you have provided your email address and where you have agreed to this form of communication for medical matters.
If you have stated a preference to be communicated with about your health care or treatment via a particular method, I will not be relying on your consent to process your data in this way. As set out in Schedule 1 below, the processing of your personal data for these purposes is justified on the basis that it is necessary to fulfill my contract with you for the provision of healthcare services.
9. Surveys and Marketing
Where you provide me with your mobile number or your email address I may use one or both of these to contact you regarding patient surveys (which I may conduct or which may be undertaken by any professional bodies of which I am a member for the purpose of improving my service and monitoring patient outcomes. I will only contact you in this way if you have provided your consent for me to do so. You have a right to decide not to consent to such contact and it will not affect your care should you choose to do so. You will be able to unsubscribe from receiving such requests at any time without having to give a reason.
10. With whom I share your information
In certain situations, I may share data about relevant aspects of your healthcare record within other clinicians or with third parties such as Circle Reading Hospital and/or your Medical Insurance Provider.
Specifically, I may disclose your information to the third parties listed below for the purposes described in Schedule 1 of this Privacy Notice. They may include:
- A doctor, nurse or any other healthcare professional involved in your treatment
- Other members of Circle Reading Hospital staff involved in the delivery of your care, such as receptionists and porters
- Emergency contacts, for example your next of kin or carer
- NHS organisations
- Other private sector healthcare providers
- Your GP
- Another private provider of medical care or treatment to you (including their medical secretaries)
- Third parties who assist in the administration of your healthcare, such as insurance companies
- The Private Healthcare Information Network (See Schedule 1 for more details on this)
- National and other professional research and audit programmes, as detailed in Schedule 1
- Government bodies, including the Ministry of Defence, the Home Office and HMRC
- Regulators of healthcare such as the Care Quality Commission
- The police and other third parties where reasonably necessary for the prevention or detection of crime
- My insurers
- Debt collection agencies
- Credit referencing agencies
- Any third party services providers such as IT suppliers
- Selected third parties in connection with any sale, transfer or disposal of my business
- Anyone else with whom you ask us to communicate
I may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone.
I will not otherwise share, sell or distribute any of your personal information to any third party without your consent, unless required by law. Data collected will not be sent to countries where the laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with the requirements of the EU General Data Protection Act.
You may wish me to share health information held about you with others for purposes other than your care. This could include with insurance companies, a medical report for a mortgage, life insurance, for immigration purposes, with a solicitor representing you in a personal injury claim. In such cases this will only be done with your signed and explicit consent. I will only share the minimum agreed information.
11. International data transfers
I (or third parties acting on my behalf) may store or process information that I collect about you in countries outside the European Economic Area ("EEA"). Under the EU General Data Protection Regulation (GDPR), companies transferring information outside of the EEA must ensure that such transfers are subject to appropriate safeguards to ensure an adequate level of data protection. Where I make a transfer of your personal information to a country outside the EEA, I will take the required steps to ensure that your personal information is protected.
I may transfer your personal data outside of the EEA to the following specific types of third party:
- Medical administration services
- Suppliers of medical devices / bespoke prostheses etc
Where I do use such organisations, I have undertaken a privacy impact assessment to ensure this process is safe and meets data protection requirements under the relevant laws.
If you would like further information regarding the steps I take to safeguard your personal information, please contact me outlined in Section 3.
12. How long I will keep your personal information
I will only keep your personal information for as long as reasonably necessary to undertake your care and to comply with my legal and regulatory obligations. If you would like further information regarding the periods for which your personal information will be stored, please contact me as outlined in Section 3.
13. For what purposes I will use your information
I may 'process' your information for a number of different purposes. The law requires me to have a legal justification for processing your data. The particular justification will depend on the proposed use of your data. When the information I process is classed as “special category of personal information”, I must have a specific additional legal justification in order to process your data.
I will rely on the following legal justifications for processing your personal data:
- Taking steps at your request so that you can enter into a contract with me to receive treatment and/or healthcare services.
- For the purposes of providing you with healthcare pursuant to a contract between us.
- I have an appropriate business need to process your personal information and such business need does not cause harm to you. Under the law this is called a ‘legitimate interest’.
- I have a legal or regulatory obligation to use such personal information.
- I need to use your personal information to establish, exercise or defend my legal rights.
- You have provided your consent to my use of your personal information.
You will find details of the legal justifications for each of my processing activities in Schedule 1 of this Privacy Notice.
14. What rights you have under the law with regard to your personal information
Under data protection law you have certain rights in relation to the personal information that I hold about you. These include the right to know what information I hold about you and how it is used. You may exercise these rights at any time by contacting me as outlined in Section 3.
There will not usually be a charge for handling a request to exercise your rights. If I cannot comply with your request to exercise your rights I will usually tell you why. There are some special rules about how these rights apply to health information as set out in the relevant legislation.
If you make a large number of requests or it is clear that it is not reasonable for me to comply with a request then I do not have to respond or I can charge you for responding.`
Your rights include:
- The right to access your personal information
You are entitled to a copy of the personal information I hold about you and details about how I use it. Please note that in some cases I may not be able to fully comply with your request, for example if your request involves the personal data of another person and it would not be fair to that person to provide it to you.
- The right to restriction of processing
In some circumstances, you can ask me to suspend the use of your personal data. Sometimes I won’t be able to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
- The right to data portability
You can ask me to transfer your personal information to you or to another individual or organisation. The information must be transferred in an electronic format.
- The right to object to processing
You can ask to us to stop processing your information where we are relying on legitimate interests as the legal ground for processing (when we refer to ‘legitimate interests’, this means that we have an appropriate business need to process your personal information and this business need does not cause harm to you).
- The right not to be subject to automatic decisions
You have a right to not be subject to decisions that are made about you by computer alone. I do not carry out any automated decision-making in relation to your treatment.
- The right to withdraw consent
In some cases i need your consent in order to use your personal information to comply with data protection legislation. Schedule 1 sets out instances where I will rely on your consent for the purpose of processing your personal information. You have the right to withdraw your consent at any time. You can do this by contacting me as outlined in Section 3.
- The right to complain to the Information Commissioner's Office
You can complain to the Information Commissioner's Office if you are unhappy with the way that I have managed any of your rights above, or if you think I have not complied with my legal obligations. More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/. Making a complaint will not affect any other legal rights or remedies that you have.
15. When this Privacy Notice will be updated
I may update this Privacy Notice from time to time to ensure that it remains accurate. If these changes result from any material difference to the manner in which I process your personal data then I will provide you with an updated copy of the Policy. This Privacy Notice was last updated on 25 May 2018.
16. How you may make a complaint or enquiry
I aim to meet the highest standards when collecting and using personal information. For this reason, I take any complaints I receive very seriously. I encourage you to bring concerns to my attention if you think that my collection or use of information is unfair, misleading or inappropriate. I would also welcome any suggestions for improving my procedures. You can contact me regarding any complaints or questions as outlined in Section 3.
ABOUT THE INFORMATION I COLLECT AND HOLD
In the table below I have set out the individual purposes for which I will process your personal information and the legal justification for doing so. In most instances, I am also required to identify an additional legal justification where I am processing special categories of personal information (eg. medical information). Beside each legal justification, I have cited the relevant article of the EU General Data Protection Regulations (GDPR).
Purpose for processing personal information Description Legal justification for processing personal information Additional legal justification for processing special categories of personal information. To perform screening and regulatory checks on individuals before they become my patients. I perform background checks in order to ensure that you are eligible to become my patient. To take steps prior to entering into a contract with me for the provision of healthcare services (Article 6(b)). Processing is necessary for reasons of substantial public interest (Art 9 (2) (g)). To provide you with healthcare services.
As a healthcare provider I need your personal information in order to deliver that service. To fulfil my contract with you for the delivery of healthcare services (Article 6(b)). Processing is necessary to protect your vital interests where you are physically or legally incapable of giving consent (Article 9 (2) (c). To carry out local clinical audits.
I may process your personal data as part of local clinical audits. These audits assess outcomes for patients and are used to identify improvements I can make to patient care. This has an indirect benefit to the population as a whole. You can object to me using your personal data for this purpose at any time. If you would like to raise an objection please contact me as above. I have a business need, or ‘legitimate interest’ to process your personal information and such business need does not cause harm to you (Article 6(f)).
Processing is necessary for statistical and scientific purposes in the public interest (Article 9 (2) (j)). For national clinical audits. I regularly share information with the National Clinical Audit programme and other quality improvement programmes. A list of these programmes can be found at http://www.hqip.org.uk/a-z-of-nca/ When a programme has received statutory approval, I will not require your consent for inclusion. If a programme has not received statutory approval, you will be asked to consent before your information is processed. You can object to me using your personal data for this purpose at any time. If you would like to raise an objection please contact me as above. I have a business need, or ‘legitimate interest’ to process your personal information and such business need does not cause harm to you (Article 6(f)).
Processing is necessary for statistical and scientific purposes in the public interest (Article 9 (2)(j)). For medical research. I participate in medical research programmes and share patient data with ethically approved third party organisations. Some research programmes have received statutory approvals such that consent may not be required to process patient information. When consent is required, then either the research organisation or I will contact you before your information is processed in this way. I have a business need, or ‘legitimate interest’ to contribute to medical research and such business need does not cause harm to you (Article 6(f)).
Processing is necessary for statistical and scientific purposes in the public interest (Article 9 (2)(j)). The external monitoring of safety and quality. The Competition and Markets Authority Private Healthcare Market Investigation Order 2014 established the Private Healthcare Information Network (“PHIN”), as an organisation who will monitor outcomes of patients who receive private treatment. I am required by law to provide PHIN with information related to your treatment, including your NHS number, the nature of your procedure, whether there were any complications such as infection or the need for admission to a NHS facility and also the feedback you provided as part of a national survey. PHIN will use your information in order to share it with the NHS, and track whether you have received any follow-up treatment.
I will only share this information with PHIN if you have provided your consent for me to do so (Article 6(a)). I will only share this information with PHIN if you have provided your consent for me to do so (Article 9 (2)(a)). Resolving patient queries or complaints. Occasionally patients may make enquiries or complaints about the service or treatment offered. In order to investigate and resolve these matters properly, I need to access your personal information. I have a business need, or ‘legitimate interest’ to process your personal information and such business need does not cause harm to you (Article 6(f)). The processing is necessary in order for us to establish, exercise or defend our legal rights (Article 9(2) (f)). Communicating with other healthcare professionals about your treatment. Other healthcare professionals may need to know about the treatment I have given you in order to provide you with appropriate care in the future.
I will only share a summary of your care and treatment with your GP if you consent to it on your patient registration form. Examples of third parties who may need access to your information can be found at Section 10. I have a business need, or ‘legitimate interest’ to process your personal information and such business need does not cause harm to you (Article 6(f)).
I will only share a summary of your care and treatment with your GP if you have provided your consent for me to do so (Article 6(a)). The processing is necessary for reasons of substantial public interest in the area of public health (Article 9.2(i). The use is necessary in order for me to establish, exercise or defend our legal rights (Article 9(2)(f)). We will only share a summary of your care and treatment with your GP if you have provided your consent for me to do so (Article 9(2)(a)).
Sharing your personal information with your insurer. To allow your insurer to cover the cost of your healthcare, I need to communicate with them about the treatment you receive from me. Additionally, your insurer may require access to your medical records in order to validate and approve your treatment. Your insurer may also audit me for the purpose of validating the accuracy of my charges and assessing and assuring the quality of services provided by me. Your personal information will only be shared for this purpose if you have provided your consent on the patient registration form. To fulfil my contract with you for the delivery of healthcare services (Article 6(b)). I will only share your medical record with your insurer if you have provided your consent for me to do so (Article 6(a)).
I will only share your medical record with your insurer if you have provided your consent for us to do so (Article 9(2) (a)). Complying with legal or regulatory obligations, and defending or exercising legal rights. As an independent practitioner, I am subject to a wide range of legal and regulatory requirements. I may be required to provide personal information of patients under these requirements, in which case I will have a legal responsibility to do so. From time to time, I may also the subject of legal actions or complaints. In order to fully investigate and respond to those actions, it may be necessary to process your personal information. The processing is necessary in order for me to comply with our legal obligations (Article 6(c)). The processing is necessary for establishing, exercising or defending legal claims (Article 9(2) (f)). Improving the quality of care and service. I strive to offer an outstanding experience to all my patients. I may sometimes ask patients to review treatment and services for the purpose of improving them or monitoring patient outcomes. It is for this reason that I may also record and review phone calls.
I will only contact you regarding patient surveys if you have provided your consent on the patient registration form (Article 6(a)). I have a business need, or ‘legitimate interest’ to record patient phone calls and such business need does not cause harm to the patient (Article 6(f)).
I will only contact you regarding patient surveys if you have provided your consent on the patient registration form (Article 9(2) (a)). For account settlement purposes. I need to ensure that your account and billing information is accurate and up-to-date. To fulfil my contract with you for the delivery of healthcare services (Article 6(b)). The processing is necessary in order for me to establish, exercise or defend my legal rights (Article 9(2)(f)).
Managing my business operations. I need to maintain accounting records, analyse financial results and receive professional business advice. I have a business need, or ‘legitimate interest’ to use your personal information and such business need does not cause harm to the patient (Article 6(f)). No special category data will be processed under this purpose, so no additional legal justification applies.