• MenuClose

Privacy notice for BPC patients

Birmingham Prostate Clinic

Birmingham Prostate Clinic is the trading name of The Birmingham Prostate Clinic Ltd, Registered Office: Wilson House, Waterberry Drive, Waterlooville, Hampshire, United Kingdom, PO7 7XX.  Company Registration Number 05509497.  Registered in England & Wales.  Birmingham Prostate Clinic (BPC) is registered with the Information Commissioner’s Office, registration number ZA441424.

BPC is a wholly owned subsidiary of Genesis Cancer Care UK Limited (GenesisCare). The GenesisCare privacy notice can be found here:

This privacy notice

BPC is a supplier of professional medical administrative services which support individual Consultants provide high quality patient care. This Privacy Notice applies to those individuals who are in contact with the BPC administrative staff.

In the Consultant-support role, e.g. managing communications, scheduling, medical records, etc. BPC’s data protection role is as a Processor of data. In some scenarios, GenesisCare, as the parent company, will also be a Processor of Consultant data.

The Controllers of your health and care data will generally be those providing treatment, i.e. your Consultant, the Hospital you attend, and any other health and care professionals you are referred to.  These Controllers will be able to supply you with their Privacy Notice.

Where BPC is required to deal with issues that relate to the administrative services, its role will be as a Controller of the data. This privacy notice sets out what information is collected about you in these scenarios.

What information do we collect and use

We are committed to respecting and protecting your privacy whenever we use your data.

Types of data

Personal DataPersonal data means any information relating to an identifiable person who can be directly or indirectly identified for example by a name, an identification number, location data, date of birth, etc.
Special Category Personal DataThis data has extra safeguards apply to its processing.  It is data about an individual’s racial or ethnic origin; political opinion; religious or philosophical beliefs; trade union membership; sex life or sexual orientation; health, including genetic and biometric data where processed to uniquely identify an individual.
Pseudonymised DataThis is where data has been masked so that it can no longer be attributed to a specific data subject without the use of additional information (‘the key’) which is kept separately and securely. This data type is processed as personal data.
Anonymised DataIf data has been turned into a form which does not identify individuals, and where the risk of re-identification is extremely low, data protection legislation does not apply.
Aggregate DataAnonymised data which has been grouped together to provide statistics.

Birmingham Prostate Clinic as a Processor

BPC will be processing your data on behalf of the Consultants who will be the Controller of your data and who will provide you with a Privacy Notice.

The dataThe purpose – on behalf of the Consultants
Your name, address, date of birth; contact details, such as address, telephone number(s), email address.Log of incoming calls and/or messages.Your GP details; relevant information from other health and care professionals; an emergency contact or next of kin; details of appointments and surgery; about your health, treatment, procedures, results, diagnoses, medications, consent to treatment or processing of data.Details of your insurance company; financial information, such as credit card details used to pay us (we do not store credit card information) To progress your enquiry, e.g. from the website, or where you contact us by email or telephoneTo support communications, scheduling and other administrative servicesTo maintain a health and care record for use by your Consultant and/or other relevant provider/s of services and treatmentTo support the payment and accounting function including credit control

In the following scenarios GenesisCare will also be a Processor of your data:

The dataThe purpose – on behalf of the Consultants
Details relating to a right to access or other data subject rights by you or your representative  To keep records of the Right of Access requests and responses
Photographs, articles, patient storiesTo support marketing activities and you have consented to provide your information
Complaints or concerns in relation to clinical mattersTo provide the clinicians with support during the process
Audit and statistical clinical data. This data is anonymisedFor assurance purposes

Birmingham Prostate Clinic as a Controller

In the following scenarios BPC is a controller of your data and takes responsibility for compliance with the UK GDPR and data protection principles.

Data being processedPurpose of the processingData Protection Designation and Lawful BasisData may be shared with:
Audit of governance related dataThis data is anonymisedFor Information Governance audit and monitoring purposesDue diligenceBPC is a joint controller with its parent company, GenesisCare UK.  The data is anonymised.GenesisCare UK staff on the Information Governance Committee
Data and correspondence relating to feedback, complaints, adverse events, etc. relating to the administration services provided by BPCTo keep a record of discussions, investigations and any formal action taken and manage audit and compliance requirementsBPC is a joint controller with its parent company, GenesisCare UK.  The lawful basis for processing is Legitimate Interest (GDPR article 6(1)(f)) and/or Management of Health Care Services (GDPR article 9(2)(h))Relevant BPC and GenesisCare staff and teams (e.g. Legal, IT)BPC Consultant/sThe police and/or regulatory bodies if requiredOther individuals involved in any incidentThird parties relevant to the circumstances
Information in relation to managing mergers, acquisitions and divestitures or enforcing or defending our legal rights to the extent that BPC acts as a controllerTo preserve the legal and other interests of BPCBPC is a joint controller with its parent company, GenesisCare UK.  The lawful basis for processing is Legitimate Interest (GDPR article 6(1)(f)) and/or Management of Health Care Services (GDPR article 9(2)(h))Relevant BPC and GenesisCare staff and teams (e.g. Legal, IT)BPC Consultant/sThird parties relevant to the circumstances

Sometimes, we may be required to share personal data to comply with a statutory obligation, a court order or for the prevention or detection of a crime or apprehension of an offender.

How we obtain your information

We will collect, or be provided with, and process information about you, for example:

  • Whilst supporting Consultants and other Health and Care Professionals
  • Where received directly from you
  • Where received from third parties (legitimately obtained or transmitted to us).

International transfers of your personal data

BPC is a subsidiary of GenesisCare UK which is part of a global organisation and we (or third parties acting on our behalf) may store or process personal data within the GenesisCare group of companies for administrative and management purposes. This processing is based on our own or a third party’s legitimate business interests.

As a global organisation we may engage global suppliers for the provision of services to the GenesisCare Group of companies and such suppliers may also be located outside the UK.

Where we transfer your personal data to a third country or international organisation, we will ensure adequate safeguards and measures are in place to protect your personal data from unlawful use and ensure your fundamental rights are capable of being upheld. We would normally achieve this by:

  • Only transferring personal data to countries deemed capable of providing an adequate level of protection; or
  • Implementing Standard Contractual Clauses; and
  • Adopting technical, organisational and contractual measures, where required, having undertaken a Data Transfer Impact Assessment to ensure that your rights in the country of transfer are essentially equivalent to your rights in the UK.

In certain situations, it may be possible to legitimise the transfer by relying on a derogation. For example, if:

  • You have explicitly consented to the proposed transfer; or
  • The transfer is necessary for the performance of a contract.

In all cases any transfer of your personal data will be compliant with applicable data protection law. If you would like further information regarding the steps we take to safeguard your personal data when making international transfers, please contact the DPO, details at the end of this Privacy Notice.

Data Security

We will secure your information by:

  • Having contractual arrangements and safeguards in place in the various data protection designation scenarios
  • Establishing a network of individuals across the organisation who are accountable and responsible for information risk management
  • Existence of various organisational measures including policies and procedures, providing regular training in handling personal data lawfully and conducting regular compliance checks
  • Technical measures including lockable rooms, cabinets, individual log in credentials, encryption and secure disposal of confidential waste
  • Ensuring only appropriate individuals have access to relevant and proportionate information about you
  • Carrying out checks on third parties who process personal data on our behalf.

Data Retention

Where we are a Processor we will retain data in accordance with the Controller’s instructions.

Where we are a Controller we retain records in accordance the legal and best practice requirements of the Records Management Code of Practice.  When the retention period expires the record will be securely destroyed.  The following are examples:

Record TypeRetention StartRetention PeriodNotes
Incident relating to the administration services provided by BPCClosure of incidentIncidents (serious) – 20 yearsIncidents (not serious) -10 years
Complaints / investigation case file relating to the administration services provided by BPCClosure of complaint / investigation10 years
Subject Access Request (SAR) and disclosure relating to the administration services provided by BPCClosure of SAR3 years from closure of the request Or 3 years from the closure of any subsequent review or complaint

Rights of access, correction, erasure, and restriction

Under data protection law you have a number of specific rights in relation to the personal data that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting the DPO, details at the end of this privacy notice and without adversely affecting you.

We will not usually charge for handling a request to exercise your rights. If we cannot comply with your request to exercise your rights we will usually tell you why.  Unless there are grounds for extending the statutory deadline we will respond within one month of receipt of a Rights request.  If the data relates to health we may be required to apply special rules to comply with data protection legislation.

  1. The right to be informed – This is fulfilled through our privacy notices.
  2. The right of access to your personal data – You have the right to request details and a copy of the personal data we hold about you and details about how we use it. We must confirm whether we have personal data about you, and we also need to provide you with a copy of your personal data. We will usually provide you with your personal data in writing unless you request otherwise. If you have made the request electronically (e.g. by email) the personal data will be provided to you electronically where possible. In some cases we may not be able to fully comply with your request, for example if your request involves another person’s personal data and it would not be fair to that person to provide it to you.
  3. The right to rectification – You can require that incomplete information is completed, or incorrect information is corrected. This ensures your information is accurate and up-to-date.
  4. The right to erasure – This is also known as the right to be forgotten. In some circumstances, you have the right to request that we delete the personal data we hold about you. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing. If we have disclosed the personal data in question to third parties, we will inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so. However there are exceptions to this right. For example, we can refuse to delete your personal data if we need to keep for tasks which are in the public interest, or for establishing, exercising or defending legal claims. If you make such a request and we comply with it, please be aware that we will retain a note of your name, the request made and the date we complied with it.
  5. The right to restriction of processing – In some circumstances you have a right to ‘block’ or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not further process it other than in relation to the establishment, exercise or defence of legal claims or for reasons of important public interest. We are able to retain just enough information about you to ensure that the restriction is respected in future.
  6. The right to data portability – Where you have provided the information to us, and where the processing is being carried out by automated means and based on your consent or pursuant to the performance of a contract with you, you have the right to obtain the information that this organisation processes about you and use it for your own purposes. This means you have the right to receive the personal data or where it is technically feasible, have the information transferred to an individual or organisation of your choice, and the information must be provided by us in an electronic format.
  7. The right to object – You have the right to object to processing based on our legitimate business interests (including profiling), direct marketing (including profiling) and processing for purposes of scientific or historical research or statistical research purposes. The objection must be on grounds relating to your particular situation.
  8. The right not to be subject to automated decisions – This relates to decisions that are made about you by computer alone that have a legal or other significant effect on you. We do not carry out automated decision-making in relation to the processing of your data. In the event that our policy in this respect changes, we shall update this privacy notice.
  9. Your right to withdraw consent – In some cases to comply with data protection legislation we need your consent in order to use your personal data. Where we rely on this, you have the right to withdraw your consent to our continuing and further use of your personal data. You can do this by contacting the DPO, details below.

Information Commissioners Office

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, for example if you are unhappy with the way that we have dealt with a request from you to exercise your rights, or if you think we have not complied with our legal obligations.

Whilst you are not obliged to do so, we would appreciate you making us aware of any issue prior to notifying the ICO and giving us the opportunity to respond. Please contact the DPO, details below.

Making a complaint will not affect any other legal rights or remedies that you have.

Information Commissioner’s Office, at, or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or telephone 0303 123 1113 (local rate call).  Website:

Questions and queries

If you have any queries or would like to exercise your rights or to establish whether any rights apply to you, please contact:

Or write to
Birmingham Prostate Clinic
Parkway Hospital
Damson Parkway
B91 2PP

Revised October 2023