Privacy Notice

About Birmingham Prostate Clinic

Birmingham Prostate Clinic is the trading name of The Birmingham Prostate Clinic Ltd, Registered Office: Wilson House, Waterberry Drive, Waterlooville, Hampshire, United Kingdom, PO7 7XX.  Company Registration Number 05509497.  Registered in England & Wales.

Birmingham Prostate Clinic (BPC) is registered with the Information Commissioner’s Office, registration number ZA441424.

BPC provides expertise across all urological specialities and welcomes patients from all locations.  Quality assurance is provided by our established and well-regarded multi-disciplinary team, reviewing every cancer treatment plan.

To provide you with high quality and safe care we must keep medical records about you, your health and the care and treatment we have provided, or plan to provide, to you.

Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018 strict principles govern our use of data and the duty to ensure it is kept safe and secure.  We have appropriate security measures to protect your personal data and everyone working at the Clinic is subject to the common law duty of confidentiality.  Your data will only be processed or shared where there is a lawful basis to do so.

BPC is a wholly owned subsidiary of Genesis Cancer Care UK Limited (GenesisCare) and for the purposes of data protection legislation BPC jointly controls your data with your consultant and GCUK and together we determine the means and purpose of processing your information for your care and treatment.  The GenesisCare privacy notice can be found here: https://www.genesiscare.com/uk/our-privacy-policy/

This privacy policy

This privacy notice applies to any person who asks about or uses our services. It provides you with information about the data we collect about you, how we process and protect the personal information which we collect about you, from you and from third parties, so that you can be confident that the information is being used safely and in ways that are reasonably expected.  It explains what rights you have in respect of your personal information.

You will find relevant contact details at the foot of this webpage should you have any queries.

When we refer to ‘we’, ‘us’ and ‘our’, it means BPC.

The type of personal data we process

In order to provide you with healthcare services we process personal data and special category personal data as defined under GDPR.

  • Personal data means any data which could identify a person, directly or indirectly, for example, identified by a name, a reference number, date of birth, etc.
  • Special category personal data is data where extra safeguards apply to the processing of such data, for example, details relating to health.

In many cases we anonymise or pseudonymise your information before we share it with others, or where we do not require the data to be in identifiable form.

  • Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place.
  • Pseudonymisation is the processing of information in such a way that it can no longer be attributed to you without the use of additional information and where that additional information is kept separately. This allows for a much wider use of the information for statistical or other purposes.

What data do we collect?

We will keep records about your health and any treatment and care you receive.  Your record may be in a paper format, electronic, or a mixture of both.  The record may include:

  • Basic details about you such as name, address, date of birth and next of kin
  • Your contact details, such as telephone number(s), email address
  • An emergency contact / next of kin
  • Family details, lifestyle and social circumstances, and sex life where relevant to your care
  • Your ethnicity or race and genetic information where relevant to your care
  • Your GP details
  • Relevant information from other healthcare professionals
  • Contact we have had with you, such as appointments and surgery
  • Letters about your health and any treatment you have received
  • Results of investigations, such as x-rays, scans, other images, laboratory tests
  • Diagnoses made, procedures carried out, medications prescribed
  • Clinic or hospital discharge letters
  • Details of your insurance company
  • Details of any consent to treatment or processing of data
  • Financial information, such as credit card details used to pay us.

Communicating with you

We will ask how you wish us to communicate with you when you register.  We may ask if you wish us to leave voice messages, send SMS texts and/or write to you by email. You can change your mind at any time, please let us know.

It is important that you tell us immediately if your contact details have changed.

Please note that we cannot be held responsible should you change your contact number, home or email address and not advise us.  Equally we cannot be held responsible for onwards use or transmission of a text message after you have received it.

Please note that we cannot guarantee the security of your information when you send an email to us.

We will only send confidential health information to your email address if you have consented.

BPC website form

If you complete the form on our website it will be sent to our generic email box for attention. We will use this information to provide you with the services you have requested which may include providing a response to healthcare enquiries, to process job applications, and, where relevant, marketing, administration, development and improvement of this website.  We may supplement the information you provide to us with data that we receive or obtain from other sources and we will store it in your healthcare record if it is appropriate to do so.

Who do we collect data from?

Data about you is provided from the following sources:

  • Directly from you
  • Healthcare professionals
  • Third parties

Directly from you

Information may be collected directly from you to support your direct care and treatment.  This information can be collected when:

  • You register for your provision of healthcare with BPC
  • You use our services
  • You complete an enquiry form on the BPC website
  • You submit a query to us including through our website, by email
  • You correspond with us by letter, email, telephone (calls from/to patients may be recorded for the purposes of staff training, customer service development and quality improvement) or social media, including where you reference BPC in a public social media post
  • You take part in our marketing activities.

Healthcare professionals

In order to provide you with the best possible care, we collect personal information about you from other healthcare professionals. These can include:

  • Records from your GP
  • Records from other healthcare providers who have previously provided treatment to you, (this can include both private organisations and the NHS)
  • Information from service providers in relation to diagnostics and the provision of specialist care and treatment.

Third parties

We may collect information about you from third parties when:

  • We liaise with current or former other healthcare service and support providers
  • We liaise with your next of kin, emergency contact or family
  • We communicate with your medical insurance policy provider
  • You have given your consent to discuss alternative healthcare services
  • We instruct debt collection agencies
  • We communicate with government agencies such as social and welfare organisations where it is legally required for the safety of the individual concerned, for example safeguarding.

CCTV

CCTV recording is in use at our premises but is managed by our landlord, Spire Healthcare.  The purpose of the CCTV is to ensure the security of property and premises and for the prevention and investigation of crime only. Areas monitored by CCTV are sign-posted. The information processed can include visual images, personal appearances and behaviour. Where necessary or required, this information is shared with you, staff and agents, services providers, police forces, security organisations and persons making an enquiry.  Please ask us if you require further information.  Spire Healthcare privacy notice can be found here: https://www.spirehealthcare.com/legal/privacy-policy/

What is your data used for?

We use (‘process’) your personal data for a number of different purposes, but in all cases we must have a lawful basis for its use. When we use special category data we must have a specific additional lawful basis to do so.

Purposes for using personal data

Purpose Legal basis for using personal data Legal basis for using special category data
Taking an enquiry, registering a healthcare record and providing care and treatment and related services

When you come to us for care and treatment, we use your personal information, which will include special category personal data, to allow us to provide you with the services you require.

The use is necessary to fulfil our contract with you for the provision of care and treatment.

We have a legitimate interest in providing you with healthcare services and our business interests justify us using your healthcare data and those interests are not overridden by your privacy rights.

The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
Communicating with healthcare professionals about your care.

Other healthcare professionals or organisations may need to know about your treatment in order for them to provide you with safe and effective care, and so we may need to share your personal information with them.

The use is necessary to fulfil our contract with you for the provision of care and treatment.

We have a legitimate interest in providing you with healthcare services and our business interests justify us using your healthcare data and those interests are not overridden by your privacy rights.

The use is necessary to comply with a legal or regulatory obligation.

The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
Sharing with the (electronic) Multi-Disciplinary Team (eMDT).

The eMDT provides a platform for consultants in your specialist reference group to discuss your case.  They will have access to relevant medical data, your diagnostic images and your care plan preferences.  Further information is provided below this table.

The use is necessary to fulfil our contract with you for the provision of care and treatment

We have a legitimate interest in providing you with healthcare services and our business interests justify us using your healthcare data and those interests are not overridden by your privacy rights.

The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
Payment and accounting purposes

We use your personal information to ensure that accounting and invoicing activities are accurate and up-to-date; this may include special category data where appropriate.  GenesisCare UK information is provided below this table.

The use is necessary to fulfil our contract with you for the provision of care and treatment.

We have a legitimate interest in providing you with healthcare services and our business interests justify us using your healthcare data and those interests are not overridden by your privacy rights.

The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

The use of your special category personal data is necessary to establish, exercise or defend our legal claims.

Clinical audit and improvement of services

We are accountable for ensuring safe clinical and operational practices are implemented and maintained. We undertake regular audits of compliance to ensure high standards of treatment, for quality assurance, to ensure services can meet patient needs in the future and to assess adherence to policy and procedure. GenesisCare UK information is provided below this table.

The use of your personal data is necessary to comply with our legal or regulatory obligations.

The use is necessary to fulfil our contract with you for the provision of care and treatment.

We have a legitimate interest in providing you with healthcare services and our business interests justify us using your healthcare data and those interests are not overridden by your privacy rights.

The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

The use is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care.

The use is necessary for public interest or scientific research purposes so long as it is subject to appropriate safeguards.

Clinical training, research and development, assessment of risk factors for specific groups

We will share your personal information only to the extent that it is necessary to do so in assisting research and as permitted by law. Some research projects and/or registries have received statutory approval where consent may not be required in order to use your personal data.

Wherever possible we anonymise your data.

The use of your personal data is necessary to comply with our legal or regulatory obligations.

We have a legitimate interest in helping with medical research and have put in place appropriate safeguards to protect your privacy.

You have given us your consent (further information about the lawful basis of consent is below this table).

The use is necessary for public interest or scientific research purposes so long as it is subject to appropriate safeguards.

You have given explicit consent.

Resolution of queries, concerns, complaints or incidents

If you raise queries, concerns or complaints we will take those communications seriously. We have a robust process for managing incidents.  It is important that we resolve such matters properly and fully to the satisfaction of all concerned, and we will need to use your personal information to do so.

The use is necessary to fulfil our contract with you for the provision of care and treatment.

We have a legitimate interest in providing you with healthcare services and our business interests justify us using your healthcare data and those interests are not overridden by your privacy rights.

The use is necessary for compliance with a legal obligation.

You have given us your consent (further information about the lawful basis of consent is below this table).

The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

The use of your special category personal data is necessary to establish, exercise or defend our legal claims.

You have given us your explicit consent.

Compliance with legal and regulatory requirements, management of business operations, seeking professional advice and the establishment, exercise or defence of legal claims.

As a provider of healthcare, we are subject to a wide range of legal and regulatory responsibilities.

The use is necessary to fulfil our contract with you for the provision of care and treatment.

We have a legitimate interest in providing you with healthcare services and our business interests justify us using your healthcare data and those interests are not overridden by your privacy rights.

The use is necessary for compliance with a legal obligation.

The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

The use of your special category personal data is necessary to establish, exercise or defend our legal claims.

Preventing and investigating fraud. This might include sharing your personal information with third parties such as the police or fraud prevention agencies, or carrying out fraud, credit, anti-money laundering and other checks. The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.

The use is necessary for compliance with a legal obligation.

We need to use the information for reasons of substantial public interest.
Carrying out marketing activities and providing marketing information to you. The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.

You have given us your consent (further information about the lawful basis of consent is below this table).

 Not applicable.
Transferring your records in connection with any sale, transfer or disposal of our business.

If we were to sell or transfer a centre or part of our business to another organisation, your patient records would also transfer to the new owner.  Limited information may also be shared, where required, with legal and other professional advisors involved in that transaction. Your records would be transferred to minimise the disruption to current and past patients caused by the sale or transfer and to ensure that we and a new owner were able to comply with our legal obligations regarding the retention of patients’ and other clients’ medical records and to ensure continuity of care.

The use is necessary to fulfil our contract with you for the provision of care and treatment

We have a legitimate interest in providing you with healthcare services and our business interests justify us using your healthcare data and those interests are not overridden by your privacy rights.

The use is necessary for compliance with a legal obligation.

The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

Consent as a lawful basis

If we ask for your consent to use your personal data you do not have to agree to the request if you do not want to.  It will not affect your care.  Where you do consent you have the right to withdraw your consent at any time by contacting our Clinic or our DPO (contact details can be found at the foot of this privacy notice) and we will stop using your personal data for that purpose.

electronic Multi-Disciplinary Team (eMDT)

This is a team of medical consultants who will discuss a treatment plan for you via the eMDT platform (developed and supported by the GenesisCare UK processor, Context Health).  You will be referred to consultants in your specialist reference group.  To facilitate the teamwork and the use of the platform your personal and special category data will be uploaded to the GenesisCare UK patient systems in accordance with standard lawful practice.  Consultants working together in the eMDT will discuss your case to recommend the best possible outcome. All eMDT consultants sign a strict privacy agreement as a condition of participating and are bound by data protection legislation.  Data processed in the eMDT function is jointly controlled by GenesisCare UK and the eMDT collaborating Consultants and a legal arrangement is in place between the parties.  Data processed in the audit function is controlled by GenesisCare UK.  Data processed in relation to patient outcomes is controlled jointly by the collaborating Consultants.

GenesisCare UK

BPC is a wholly owned subsidiary of GenesisCare.  For the purposes of Data Protection Legislation, we are a joint controller of your data with GenesisCare and we will collaborate on the following uses of your data:

  • The accounting function: GenesisCare UK finance department have access to our systems in order to ensure the accounting and invoicing activities are accurate and up-to-date.
  • The audit management function: Anonymised data will be used by GenesisCare UK and BPC to monitor and manage activity data to manage services and ensure we can meet patient needs in the future.
  • Incident reporting: In the unlikely event of a data protection breach GenesisCare UK Data Protection Officer and relevant managers will liaise as necessary. All incidents are reported on and managed via the Datix system.

Who Do We Share Your Information With?

We comply with current data protection and confidentiality law and have secure working practices to protect your data both at rest and in transit.  Anyone who receives data from us is also under a legal duty to keep it confidential.

All staff working at BPC are expected to process your personal data in accordance with the principles set out within this Privacy Notice.  Clinical staff will also have their own professional standards to follow.

Sharing with your medical consultant

The medical consultants who look after you (and their medical secretaries and clinical support staff) will maintain records about your health and treatment so that they can make informed decisions about your care.  BPC jointly controls your data with your consultant and GCUK and together we determine the means and purpose of processing your information for your care and treatment.  Your data will only be processed or shared where there is a lawful basis to do so. Consultants who work at BPC may process your personal information at a non-BPC site, for example, a hospital.  In these circumstances the hospital will be the controller and you should refer to the privacy notice supplied by that site.  If you want to find out more about the controllership arrangements please let us know by contacting our Data Protection Officer (DPO), details can be found at the foot of this privacy notice.

Sharing with your private medical insurer

Where the cost of your treatment and care is covered by insurance, we share your information with your insurer or the administrator of the applicable scheme of insurance. BPC and GenesisCare UK are joint controllers of your personal data and your insurer is a separate controller of your personal data. We share information to allow each other to carry out obligations under the arrangements in place, and, in the case of the insurer, to manage claims and administer the schemes for insured members.  Your information may be used in shared activities, for example, pre-authorisation of treatment on your behalf, invoicing for services provided, assisting and cooperating in the investigation of any member complaints, allowing your insurer to inspect and audit our facilities.  Where controllers hold the same information jointly for the same processing purpose you may exercise your rights against any controller. Where we independently hold further information, or process information for purposes in addition to the shared purposes stated above, you should direct any communication concerning your rights to the applicable controller.

Sharing with third parties

We may share your personal information with the third parties listed below for the purposes identified within this privacy notice:

  • A doctor, nurse or other clinician, and pathology and radiology staff involved in the analysis and reporting of diagnostic tests or any other healthcare professional involved in your treatment
  • Other members of support staff involved in the delivery of your care, such as clinic managers, administrators and medical secretaries
  • Anyone that you ask us to communicate with or provide as an emergency contact
  • Other private sector healthcare providers where relevant to your care and treatment
  • Your GP
  • Ancillary service and support providers where you opt to accept those services, such as counsellors and therapists
  • National and other professional research/audit programmes and registries, as identified in this privacy notice
  • Relevant insurance companies
  • Debt collection agencies
  • Third parties, including government bodies, to the extent required by law, regulation or court orders and statutory requests for information
  • Service providers, such as trusted partners that work with us under written contracts with standard data protection clauses, such as confidential waste disposal
  • Auditors, lawyers, marketing agencies and tax advisers if there is a lawful basis to do so, for example in connection with any sale, transfer or disposal of our business.

There are some circumstances where there is a legal obligation for us to process your personal confidential information and you will not be able to opt-out. These include:

  • To protect children and vulnerable adults (safeguarding)
  • When a formal court order has been served upon us
  • When we are lawfully required to report certain information to the appropriate authorities e.g. To prevent fraud or a serious crime
  • Emergency planning reasons such as for protecting the health and safety of others
  • When permission is given by the secretary of state or the health research authority to process confidential information without the explicit consent of individuals

How long do we keep your personal information for?

We retain information in accordance with our legal obligations and national best practice. We ensure compliance through regular auditing and ensure information is securely disposed of when it has reached the end of its retention period. We implement data retention periods for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods. We will only keep your personal information for as long as reasonably necessary in order to support patient care and continuity of care; support evidence-based clinical practice and to assist clinical and other audits; to support our legitimate business interests and to comply with our legal and regulatory requirements.

The national standard retention policy for most medical records is 30 years.  If you require further information please contact our DPO, details can be found at the foot of this privacy notice.

We do not retain credit card information.

International transfers of your personal information

BPC is part of a global organisation. We (or third parties acting on our behalf) may store or process data that we collect about you in countries outside the UK. This may include the GenesisCare group of companies located in Spain and Australia for administrative and management purposes.  Where we make a transfer of your personal information outside of the UK we will take the required steps to ensure that your personal data is protected, for example:

  • The country to which we send the personal information may be approved by the European Commission, or
  • The recipient may have signed a data sharing agreement or contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your personal information.

In other circumstances, the law may permit us to otherwise transfer your personal information outside the EEA. In all cases, however, any transfer of your personal information will be compliant with applicable data protection law. If you would like further information regarding the steps we take to safeguard your personal information when making international transfers, please contact the DPO using the details at the foot of this Privacy Notice.

Your Rights and your personal data

Under data protection law you have a number of specific rights in relation to the personal data that we hold about you. These include the right to ‘be informed’, that is, to know what information we hold about you and how it is used and this privacy notice provides you with that detail.

Under certain circumstances you have the right to:

  • Request access to your personal data (commonly known as a “subject access request”). This enables you to receive a copy of the personal data we hold about you and details of how we are using it. Further information can be found below.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected, subject to clinical records management standards.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below). There may be a legal or other reason why we need to retain your data, for example, we would never delete healthcare data, and if this is the case we will tell you.  If you make such a request and we comply with it, please be aware that we will retain a note of your name, the request made and the date we complied with it.
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground, for example direct marketing.
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it. When processing is restricted, we are permitted to store the personal data, but not further process it other than in relation to the establishment, exercise or defence of legal claims or for reasons of important public interest. We can retain just enough information about you to ensure that the restriction is respected in future.
  • Request the transfer of your personal data to another party. The data portability right only applies where the lawful basis for processing is consent or for the performance of a contract and processing is by automated means.
  • Automated decision-making: You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making in our data processing scenarios.
  • Withdraw consent – In some cases to comply with data protection legislation we need your consent in order to use your personal information. Where we rely on this, you have the right to withdraw your consent to our continuing and further use of your personal information. You can do this by contacting our DPO whose details are at the foot of this privacy notice.

If you wish to exercise any rights or if you have any questions about this privacy notice or how we handle your personal data please contact the Clinic or the DPO.

We will not usually charge for handling a request to exercise your rights and if we cannot comply with your request to exercise your rights we will usually tell you why.

Subject Access Request or SAR

You (or your representative) can request a copy of the personal data we hold about you and details about how we use it. Your information will be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible. Please note that in some cases we may not be able to fully comply with your request, for example if your request involves the personal data of another person and it would not be fair to that person to provide it to you.

The information will normally be provided free of charge and, unless there are grounds for extending the statutory deadline, the information will be provided to you within one month of receipt of your request.

We may ask for confirmation of your identity and may need further information from you to locate the information.

Your right to complain to the Information Commissioners Office (ICO)

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, for example if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations.

Whilst you are not obliged to do so, we would appreciate you making us aware of any issue prior to notifying the ICO and giving us the opportunity to respond. Please contact the BPC DPO whose details are at the foot of this privacy notice.

Making a complaint will not affect any other legal rights or remedies that you have.

Information Commissioner’s Office, at casework@ico.org.uk, or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or telephone 0303 123 1113 (local rate call).  Website: https://ico.org.uk/

Securing your data

We have implemented appropriate technical and organisational security to protect your personal information. This includes:

  • Ensuring our staff complete regular training
  • Ensuring personal information is only accessible and shared with individuals that have a need to access it
  • Implementing physical access controls within our facilities and technical controls such as encryption
  • Using information about you that does not uniquely identify you, where appropriate
  • Where personal information is transferred outside of the UK, we will ensure there are appropriate security measures in place to protect the data in accordance with UK Data Protection Laws
  • All of our employees are bound by the Common Law of Confidentiality; this means they have a legal duty to keep your information confidential and secure
  • Using robust data sharing agreements or contracts based on “model contractual clauses” approved by the European Commission, obliging our processors to protect your personal information.

Please let us know us if you require further information about how we secure your data.

Covid-19 Measures

Birmingham Prostate Clinic has put measures in place to ensure the safety of all patients and staff.  Some consultations between doctors and patients will utilise ‘telehealth’ technology and patients may be invited to join a Zoom consultation or use FaceTime or WhatsApp.  The relevant privacy notices can be found as follows:

Zoom: https://zoom.us/privacy

FaceTime: https://support.apple.com/en-us/HT209110

WhatsApp: https://www.whatsapp.com/privacy/?lang=en

We do not record consultations.  Any notes taken during the consultation about your healthcare will be added to your medical record which is held securely on our patient system.  Further information relating to your personal data can be found below.

The lawful basis for processing is:

  • Your personal data: Legitimate Interest [GDPR 6(1)(f)] – the processing is necessary to support the continuity of care during the Covid-19 pandemic;
  • Your special category data: Provision of Health and Social Care [GDPR 9(2)(h)].

Updates to this Privacy Notice

We may update this Privacy Notice from time to time to ensure that it remains accurate. In the event that these changes result in any material difference to the manner in which we process your personal data we will signpost you to the specific changes.

Queries

If you have any queries or would like to exercise your rights or to establish whether any rights apply to you, please contact:

Or write to
Birmingham Prostate Clinic
Parkway Hospital
Damson Parkway
Solihull
B91 2PP