Privacy Policy

 

GENERAL DATA PROTECTION REGULATION (GDPR) PRIVACY NOTICE

 

On 7th September One Healthcare (which operates One Ashford Hospital and One Hatfield Hospital) was acquired by Phoenix Hospital Group, one of the UK’s leading independent healthcare providers (“PHG Hospitals”). Whilst One Healthcare will no longer provide healthcare services, it is necessary for them to retain your personal data, in accordance with section 4 of this Privacy Policy below, for compliance with legal record-keeping requirements and in the event of any complaint or claim.       

 

For the previous version of this Privacy Policy which applied before 17 August 2023, please see here.

For the previous version of this Privacy Policy which applied between 17 August and 6th September 2023, please see here

 

PHG Hospitals will process your personal data in the same way and for the same purposes as One Healthcare, including for the purposes of the ongoing provision of healthcare services to you.

 

PHG Hospitals’ Patient Data Privacy Notice 

1. Information About Us

We are regulated by General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”). Phoenix Hospital Group acts as a controller of your personal data and is made up of the companies listed below. Each of these companies is an independent controller of your personal data and may share your personal data with other companies in Phoenix Hospital Group for the purposes of and on the basis set out in this privacy policy.

Phoenix Hospital Limited, registered in England under company number 04634173, whose registered office address is 9 Harley St, London, W1G 9AL.

Delivery address: 9 Harley St, London, W1G 9QY

Email address: data.controller@phoenixhospitalgroup.com

 

Weymouth Clinic Limited trading as Weymouth Street Hospital registered in England

under company number 06251383, whose registered office address is 9 Harley Street, London, W1G 9QD

Delivery address: 42-46 Weymouth Street, Marylebone, London W1G 6NP Email address: data.controller@phoenixhospitalgroup.com

 

9 Harley Street Limited (includes 25 Harley Street Ltd) registered in England under

company number 06396281, whose registered office address is 9 Harley Street, London, WIG 9QY

Delivery address for 9HS: 9 Harley Street, London, W1G 9QY

Delivery address for 25HS: 25 Harley Street, Marylebone, London, W1G 9QW

Email address: data.controller@phoenixhospitalgroup.com

 

Phoenix Hospital Investments Ltd (Phoenix Hospital Chelmsford or Chelmsford) registered in England under company number 12004528, whose registered office address is 9 Harley Street, London, England, W1G 9QY

Delivery address: West Hanningfield Rd, Great Baddow, Chelmsford CM2 8FR Email address: data.controller@phoenixhospitalgroup.com

MyBreast Limited registered in England under company number 12116309, whose registered office address is 9 Harley Street, London, England, W1G 9QY.

Delivery address: 9 Harley Street, Marylebone, London, W1G 9QY. Email address: data.controller@phoenixhospitalgroup.com

 

Phoenix Pathology is trading name for 9 Harley Street Ltd, and is registered in

England under company number 06396281, whose registered office address is 9 Harley Street, London, England, WIG 9QY

Delivery address: 25 Harley Street, Marylebone, London, W1G 9QW Email address: data.controller@phoenixhospitalgroup.com

 

PHG Hospitals Holdings Ltd  (PHG Hospitals A/B) “PHG Hospitals” is a subsidiary of Phoenix Hospital Group, and is registered in England under company number 14547099, whose registered office address is 9 Harley Street, London, England, WIG 9QY

Delivery address: 9 Harley Street, Marylebone, London, W1G 9QY. Email address: data.controller@phoenixhospitalgroup.com

 

2. What Does This Notice Cover?

This Privacy Information explains how we use your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.

We will tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases, we need you to provide your personal data so we can provide care and treatment and receive payment for these services.

3. What is Personal Data?

Personal data is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, medical records including digital and radiology data and reports, correspondence from and to other doctors/healthcare workers/hospitals and other online identifiers.

The personal data that we use is set out in Part 5, below.

4. What Are My Rights?

  • The right to be informed about processing of your personal data
  • The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed
  • The right to object to the processing of your personal data*
  • The right to restrict the processing of your personal data*
  • The right to have your personal data erased (the ‘right to be forgotten’)*
  • The right to request access to your personal data and information about how we process it
  • The right to move, copy or transfer your personal data (‘data portability’)

* these rights do not apply in all circumstances

You have the right to complain to the Information Commissioner’s Office (ICO) which can be found at https://ico.org.uk/. It has enforcement powers and can investigate compliance with data protection law. Your personal data is data which by itself or with other data available to Phoenix Hospital Group can be used to identify you as an individual. Phoenix Hospital Group is the data controller. This privacy notice sets out how Phoenix Hospital Group will use your personal data. You can contact our Data Protection Officer (DPO) via email data.controller@phoenixhospitalgroup.com if you have any questions.

5. What Personal Data Do We Collect?

  • Personal information about you such as your name, contact details and date of birth
  • Your financial information if you are a `self-pay’ patient or the financial information of the company or individual who is responsible for the payment of invoices/bills relating to your care (e.g. insurer or sponsor)
  • Information about your marital status, next of kin, dependents nominated and/or emergency contacts
  • Information about your nationality and entitlement to treatment in the UK
  • Information received in response to any surveys or, complaints claims

In addition, we need to process special category personal data, including your health data, for the purposes of providing you with care. This includes:

  • Your previous and current medical health records whether provided by referrers or other third parties
  • A record of all treatment provided including medical and nursing notes, records of operations, blood tests and radiology
  • Information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments
  • Information about your philosophical or religious beliefs or sexual orientation, where such information is relevant to inform treatment
  • Information about medical or health conditions of your family
  •  

6. How Do You Use My Personal Data?

  • To support the provision of your healthcare
  • To decide how best to provide treatment to you
  • As necessary to support the healthcare contract with you and to allow us to receive full payment for those services
  • To keep your records up-to-date as necessary for our own legitimate interests or those of other persons and organisations
  • For good governance, accounting, and managing and auditing our clinical and business operations
  • To monitor emails, calls, other communications, and activities on Phoenix Hospital Group networks and systems
  • For market research, analysis and developing statistics for improving clinical performance; and

As necessary to comply with a legal obligation:

  • When you exercise your rights under Data Protection Laws and make requests
  • For compliance with legal and regulatory requirements and related disclosures
  • For establishment and defence of legal rights
  • For activities relating to the prevention, detection and investigation of crime
  • To verify your identity, make credit fraud prevention and anti-money laundering checks; and to investigate complaints, legal claims and data protection or clinical incidents.

Based on your consent:

  • If you ask us to disclose your personal data to other people or organisations;
  • When we process any special categories of personal data about you at your request (e.g. racial or ethnic origin, religious or philosophical beliefs, trade union membership, biometric data (for the purpose of uniquely identifying a natural person), sex life or sexual orientation) where this does not relate to the provision of medical care and maintenance or insurance-related reasons.

You are free at any time to change your mind and withdraw your consent. The consequence might be that we cannot continue to provide full healthcare services to you.

We will process your personal data if you ask us to disclose your personal data to other people or organisations such as an insurance company handling a claim on your behalf;

Where we process your special category personal data (namely, health data such as medical records, treatment notes and other data concerning your health) for the purposes of providing you care. We rely on our obligations under the data protection legislation to process your special category for health or social care purposes, such as diagnosing you, providing you with treatment and managing your long-term care.

7. How Long Will You Keep My Personal Data?

Information will be kept in accordance with the retention periods outlined in the Information Governance Alliance (IGA) Records Management Code of Practice for Health and Social Care (2016). Information may be held for longer periods where the following apply:

  • Retention in case of queries. We will retain your personal data as long as necessary to deal with any queries you may have
  • Retention in case of claims. We will retain your personal data for as long as you might legally bring claims against us
  • Retention in accordance with legal and regulatory requirements. We will retain your personal data after you have received healthcare services at our facilities based on our legal and regulatory requirements

8. How and Where Do You Store or Transfer My Personal Data?

We will only store or transfer your personal data in the UK. This means that it will be fully protected under the GDPR.

For Phoenix Pathology, only qualified biomedical/clinical scientists registered with the Health and Care Professions Council (HCPC) can release results.

9. Do You Share My Personal Data?

We will not share any of your personal data with any third parties for any purposes except under the following limited circumstances.

  • Consultants/doctors and other healthcare professionals who provide treatment to you at our facilities
  • Other healthcare providers where we feel this will enhance the quality of your care
  • Sub-contractors and other persons who help us to provide healthcare products and services to you
  • Companies and other persons providing services to you as part of your extended care
  • Our legal and other professional advisors, including our auditors
  • Fraud prevention agencies, credit reference agencies, and debt collection agencies
  • Government bodies and agencies in the UK and overseas (e.g. HMRC who may in turn share it with relevant overseas tax authorities and with regulators)
  • The Information Commissioner’s Office (ICO)
  • Courts, to comply with legal requirements, and for the administration of justice
  • In an emergency or to otherwise protect your vital interests
  • To protect the security or integrity of our business operations and other patients
  • Payment systems and providers
  • Anyone else where we have your consent or as required by law

10. How Can I Access My Personal Data?

If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request” or SAR.

All subject access requests should be made in writing and sent to the email or postal addresses shown.

To make this as easy as possible for you, an Application for Access to Health Records form is available for you to use – click here to download. This is the easiest way to tell us everything we need to know to respond to your request as quickly as possible.

We will respond to your subject access request within 14 working days and, in any case, not more than one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of progress.

11. How Do I Contact You?

To contact us about anything to do with your personal data and data protection, including to make a subject access request, please email data.controller@phoenixhospitalgroup.com

12. Changes to this Privacy Notice

We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.