Introduction
This Privacy Notice sets out important details of the information ("personal data") that Spire Healthcare and the healthcare professionals responsible for your care (including their medical secretaries) will collect and hold about you, how we use your personal data and how protect it. It also provides information on your rights in relation to your personal data.
This Privacy Notice also outlines how personal data relating to patients referred to healthcare professionals for an assessment in connection with medico-legal proceedings will be collected and used.
This Privacy Notice applies to anyone who receives healthcare services at Spire (“care”) and describes how we handle your personal data regardless of the way you interact with us (for example, in person, by email, through our website, by phone and so on). Please take your time to read this Privacy Notice carefully.
View a summary of the Privacy Notice aimed at those aged 13 to 18
About us
In this Privacy Notice we use "we" or "us" or "our" or "Spire" to refer to the Spire company who is using your personal data, and the healthcare professionals who provide your care.
When we write to you, we will let you know which company within the Spire group of companies is making decisions about collecting, using and holding your personal data. Depending on your relationship with us, this may be:
- Spire Healthcare Group plc, 3 Dorset Rise, London, EC4Y 8EN, Company No. 09084066
- Spire Healthcare Limited, 3 Dorset Rise, London, EC4Y 8EN, Company No. 01522532
- Montefiore House Limited, 3 Dorset Rise, London, EC4Y 8EN, Company No. 07414715
- Didsbury MSK Limited, 3 Dorset Rise, London, EC4Y 8EN, Company No. 10998362
- Claremont Hospital LLP, 3 Dorset Rise, London, EC4Y 8EN, Company number OC385492
How to contact us
The Data Protection Officer ("DPO") helps ensure that the Spire group of companies comply with data protection law. Our DPO has responsibility for data protection compliance in respect of the companies set out above.
The DPO can be contacted by:
- Telephone: 020 7427 9071
- Email: dataprotection@spirehealthcare.com
- Post: Data Protection Officer, Spire Healthcare, 3 Dorset Rise, London, EC4Y 8EN
If you would like further information about any of the matters in this Privacy Notice or have any other questions about how we collect, store or use your personal information, please contact the DPO using the details above.
Data protection during coronavirus (COVID-19) pandemic
Spire Healthcare is very proud to be supporting the NHS in its response to the COVID-19 (coronavirus) pandemic (the “Pandemic”). During these unprecedented times, Spire Healthcare’s main priority is the health and safety of our patients, colleagues and the wider community as well as supporting the NHS in responding to the Pandemic.
Each of our hospitals is working in collaboration with their local NHS trusts to ensure we can provide the help they require, when it is needed. As a result of these unique circumstances, Spire Healthcare may need to share personal data with the NHS and other regulatory and government bodies.
While Spire Healthcare will always use (or “process”) your personal data in accordance with our data protection obligations under the data protection legislation, the duty of confidentiality and Spire’s Privacy Notice, during the Pandemic we will also use your personal data for the purposes and using the lawful bases as set out below:
Legal bases for using your personal data
Where we use your personal data, including sharing it, as part of our work during the Pandemic we will rely on the following legal bases:
- Contract: using your personal data is necessary to provide your care and related services and to fulfil our contract with you for the delivery of your care (Article 6 (1) (b)
- Legitimate interests: using your personal data is necessary for our legitimate interests and such interest does not cause harm to you (Article 6 (1)(f))
- Legal obligation: using your personal data is necessary for compliance with a legal obligation (Article 6 (1)(c))*
- Vital interests: using your personal data is necessary to protect someone’s life (Article 6 (1)(d))
- Public interest: using your personal data necessary to perform a task in the public interest. Article 6 (1)(e)
We will also rely on the following additional legal bases for using your special category data
- Employment, social security and social protection: using your special category data is necessary for carrying out our obligations and exercising our or your rights under employment, social security and social protection law (Article 9 (2)(b))
- Vital interests: using your special category data is necessary to protect your vital interests (Article 9 (2)(c))
- Substantial public interest: using your special category data is necessary for reasons of substantial public interest (Article 9 (2)(g))
- Provision of health or social care: using your special category data is necessary for preventive or occupational medicine, for the assessment of the working capacity of our employees, for medical diagnosis, to provide your care or for the management of health or social care systems and service (Article 9 (2)(h))
- Public health: using your special category data is necessary for reasons of public interest in the area of public health such as protecting against serious cross border threats to health (Article 9 (2)(i))
* This includes the Notice by Secretary of State under Reg 3(4) of Health Service Control of Patient Information Regulations issued 1 April 2020 allowing healthcare providers to share personal data and any other such notice that may be issued to support efforts against COVID-19.
Purposes for sharing your personal data
During the COVID-19 pandemic your personal data may be shared for the following purposes:
- Understanding COVID-19 trends and risks to public health and controlling and preventing the spread of COVID-19
- Identifying and understanding information about patients or potential patients with or at risk of COVID-19 including patient exposure to COVID-19
- Management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19
- Understanding capacity and availability information about patient access to health services and adult social care services
- Monitoring and managing the response to COVID-19 by health and social care bodies and the Government including providing information (including workforce details) to the public about COVID-19
- Delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19
- Research and planning in relation to COVID-19
Coronavirus (COVID-19) testing for Spire Healthcare colleagues and their household
Spire Healthcare has begun a COVID-19 screening program for certain colleagues and the members of their household, to ensure patient and colleague safety and to facilitate our colleagues’ self-isolation and return to work. These tests will be processed by Spire Healthcare, and all personal data collected as part of this will be processed in accordance with this message and the full Spire Privacy Notice.
We will keep this message under review and update it if we need to.
This message is supplemental to the full Spire Privacy Notice.
View more information on Spire Healthcare and data protection during COVID-19
Your personal data and healthcare professionals
As a patient of Spire, your care may be provided by a healthcare professional who is a medical practitioner including consultants, nurses, and other clinical support professionals. In this Privacy Notice, we refer to all such individuals as “healthcare professionals”. Those healthcare professionals make decisions about what personal data they need to collect about you, and may maintain their own set of medical records in relation to your care. They are a Data Controller of your personal data which they hold within those records, meaning that they must also comply with the data protection legislation and relevant guidance when handling your personal data. This includes using your personal data as set out in more detail below. Most healthcare professionals are expected to use personal data as set out within this Privacy Notice. There may be circumstances, however, where healthcare professionals do things slightly differently to Spire. In those particular circumstances, it is the responsibility of the healthcare professional to ensure that their use of your personal data is lawful, inform you as to exactly how it will be used and provide you with their own Privacy Notice setting this out.
Healthcare professionals who work with Spire are supported by a medical secretary who will use your personal data only as instructed by your healthcare professional. This could include, for example, preparing letters about your care or liaising with you about appointments. In some circumstances, that medical secretary will be employed by Spire and they will handle your personal data in accordance with this Privacy Notice. However, in other circumstances the secretary may be employed by the consultant, by other healthcare providers (private or NHS), or be self-employed. This means that your personal data may be handled by third parties at their sites. It is your healthcare professional’s responsibility to inform you if their medical secretary is employed by a third party and the manner in which they will use your personal data (including where they are based). Spire is not responsible for any use of your personal data by third parties, eg medical secretaries who are not employed by Spire.
Also, healthcare professionals who work with Spire (including their medical secretaries) may process your personal data at a non-Spire site (medical or non-medical).
If you want to find out more about the arrangements between Spire and your healthcare professional for handling your personal data, or you have any concerns about the way your healthcare professional has handled your personal data, please contact our Data Protection Officer (“DPO”). The DPO's contact details can be found at the bottom of this page.
What personal data do we collect and use from patients?
As a Spire patient, we will collect and use personal data about you including:
- your name, address and contact details
- financial information, such as credit card details used to pay us
- occupation
- emergency contact details, including next of kin
- background referral details
- any images taken of you by the closed-circuit television (“CCTV”) systems we have installed at our hospitals
Special categories of personal data
We also collect and use more sensitive personal data (known as "special category data") about you, such as information relating to your physical and mental health. Special category data must be handled even more sensitively than “standard” personal data. For example, if you are a patient we will need to use personal data about your health in order to provide your care. Your special category personal data will be managed in accordance with the law and this Privacy Notice and also all applicable professional standards including guidance from the General Medical Council and British Medical Association.
The special category personal data we hold about you includes the following:
- details of your current or former physical or mental health. This may include personal data about any healthcare services you have received (both from Spire directly and other healthcare providers such as GPs, dentists or hospitals (private and/or NHS)) or need, including about clinic and hospital visits and medicines administered. This may also include details of previous healthcare services you have received from other healthcare providers in circumstances where medical negligence is alleged, or being investigated, against that third party provider. We provide further details below on the manner in which we handle such personal data
- details of care you have received from us including any images taken in relation to your care
- details of your nationality, race and/or ethnicity
- details of your religion
- details of any genetic data or biometric data relating to you
- data concerning your sex life and/or sexual orientation
The confidentiality of your medical information is important to Spire. We make every effort to prevent unauthorised access to and use of information relating to your current or former physical and mental health. In doing so, Spire complies with UK data protection law, including the Data Protection Act 2018, and all applicable medical confidentiality guidelines issued by professional bodies including, but not limited to, the General Medical Council and the Nursing and Midwifery Council.
Other people’s personal data
If you provide us with personal data about another person, you must inform that person about the contents of this Privacy Notice.
Changes to your personal data
In addition, if you change personal data which we already hold about you (for instance by changing a pre-populated form) then we will update our systems to reflect the changes, but our systems will also continue to hold the originally recorded personal data.
How do we collect your personal data?
Directly from you
We may collect personal data directly from you when you:
- enter into a contract with us for the provision of your care
- use that care
- have remote consultations with a healthcare professional including virtual or by telephone
- complete enquiry forms on our website
- send us a question including through our website, by email or by social media
- correspond with us by letter, email, telephone (all incoming and outgoing calls from/to patients are recorded) or social media, including where you reference Spire in a public social media post
- attend our hospitals and are recorded on the CCTV systems we have installed
- take part in our marketing activities
- use Spire GP
From other healthcare providers
Our patients will usually receive healthcare services from other organisations in addition to Spire, and so in order to provide you with the best care possible we may have to collect personal data about you from other organisations. This may include medical records from:
- your GP
- your healthcare professional (including their medical secretaries)
- your dentist
- the NHS or any private healthcare organisation
- mental health providers
Medical records include personal data about your tests and diagnosis, clinic and hospital visits and medicines administered.
NHS Summary Care Record (SCR)
Your NHS Summary Care Record (SCR) is an electronic record of important patient information, including medication, allergies, bad reactions to medicines, and where available past and present medical information, created from your GP medical record. They can be seen and used by authorised staff in other areas of the health and care system involved in a patient’s direct care. Prior to your appointment with Spire your NHS Summary Care Record will be available to view by the hospital staff involved in your care, unless you have previously opted-out of having an SCR. Access to your SCR optimises patient safety allowing us to make the most clinically informed decisions. You find more information about your SCR at https://digital.nhs.uk/services/summary-care-records-scr
If you do not want our staff to access your SCR, or you have any queries please contact the hospital where you will be receiving your treatment.
From other third parties
We may also collect personal data about you from other third parties as follows:
- solicitors or other third parties acting on your behalf in connection with medico-legal proceedings
- your current or former employer, healthcare professional or other healthcare services or benefit provider
- your family
- your insurance policy provider
- experts (including medical experts) and other service providers about your care
- NHS health service bodies about your care
- credit reference agencies
- debt collection agencies
- government agencies, including the Ministry of Defence, the Home Office and HMRC
- commissioners of healthcare services
If you (or the relevant other healthcare providers and other third parties outlined above) do not provide us with the personal data that we ask for, then we may be unable to provide your care.
How will we communicate with you?
We are likely to communicate with you by telephone, SMS, email, and/or post. If we call the telephone number(s) which you have provided, and the call directs to a voicemail and/or answering service, we may leave a voice message on your voicemail and/or answering service.
In particular:
- to provide you with timely updates and reminders about your care, we may send you SMS messages and/or email
- to provide you with your medical information (including test results and other clinical updates) and/or invoicing information, we may communicate with you by encrypted email.
- the first time we send you any important encrypted email eg one that we are not also sending by post or which requires you to take an action, we will try to contact you separately to ensure that you are able to access that encrypted email
- if we have your mobile number or your email address we may use them to ask you to complete patient surveys which are for the purpose of improving our service or monitoring outcomes and are not a form of marketing.
We will provide you access to our online portal, called MySpire. MySpire enables patients to view their appointments and complete their registration form online and have access to resources in relation to their treatment. Additional features will be developed over time.
Patient surveys, audits and initiatives
We may contact you to ask you to participate in patient surveys regarding your care. We will usually send these surveys to you by email or SMS message. These surveys are not a form of marketing and they do not try to sell you any further products or services. They are solely to get your feedback on your experience, to improve the quality and safety of the healthcare services we offer to future patients. It is entirely up to you whether you participate in the surveys and you can unsubscribe from receiving further survey requests. We use the responses you provide to make improvements to our services. You may also opt in to receiving a call back to discuss your responses.
In addition, we may also contact you to invite you to participate in on-line surveys regarding the clinical outcomes of your care called Patient Reported Outcome Measures (“PROMs”). Again, these are not a form of marketing. If you are a private patient your PROMs results are shared with PHIN (see the next section), and if you are an NHS patient your PROMs results are shared with NHS England. We may send you an initial invitation asking you to participate before you receive your care, by post, SMS, email or in person when you attend the hospital for your care. If you choose to complete a PROMs survey you will also receive subsequent surveys after your care to help establish the benefit you have gained from treatment.
How do we use your personal data?
We use (or “process”) your personal data for a number of different purposes but in all cases, we must have a legal basis for doing so. When we use “special category of personal data” such as personal data relating to a person’s health, (see section on Special categories of personal data above) we must have a specific additional legal basis to do so.
Generally we will rely on the following legal bases:
Contract:
- we need to use your personal data to take steps so that you can enter into a contract with us and/or a healthcare professional to provide your care
- we need to use your personal data to provide your care in accordance with a contract between you and Spire and/or healthcare professional. We will rely on this for activities such as supporting your care and other benefits, supporting your doctor, nurse, carer or other healthcare professional and providing other services to you; and/or
- we need to use your personal data to assist your investigation of potential medical negligence against another healthcare provider by registering you on Spire systems. The medico-legal assessment may be performed by one of our healthcare professionals, or it may simply be a diagnostic test performed by us.
- Legitimate interests: we need to use your personal data for our legitimate business interest to process your personal data and such interest does not cause harm to you. We will rely on this for activities such as quality assurance, maintaining our business records, developing and improving our products and services and helping with medical research.
- Legal obligation: we need to use your personal data to comply with our legal or regulatory obligations.
- Legal claims: we need to use your special category personal data to establish, exercise or defend our legal claims.
- Consent: you have given us your consent to use your personal data for this purpose.
Generally, we will only ask for your consent to use your personal data if there is no other legal basis to use it. If we ask for your consent, we will always aim to be clear and transparent about why we need your consent and what we are asking it for. Where we are relying on consent to use your personal data you have the right to withdraw your consent at any time by contacting our DPO (contact details can be found at the bottom of this document) and we will stop using your personal data for that purpose.
You will find details of the legal bases for each of our purposes below.
Purpose 1: To set you up as a patient on Spire’s systems
We have to carry out checks including carrying out fraud, credit, anti-money laundering and other regulatory checks for you to become a patient (which includes when you have a medico-legal assessment, or a diagnostic test). We cannot perform these checks without using your personal data.
Legal bases for using your personal data
Contract: to take steps so that you can enter into a contract with us for the delivery of your care, and/or in connection with a contract for a healthcare professional to carry out a medico-legal assessment, or a contract for Spire to perform a diagnostic test.
Additional legal bases for using your special category personal data
Substantial public interest: for reasons of substantial public interest; and
Legal claims: to establish, exercise or defend our legal claims.
Purpose 2: To provide your care and related services
Clearly, the reason you come to us is to receive care, and so we have to use your personal data for that.
Legal bases for using your personal data
Contract:
- to provide your care and related services; and
- to fulfil our contract with you for the delivery of your care.
Additional legal bases for using your special category personal data
Health or social care: to provide your care; and
Vital interests: to protect your vital interests where you are physically or legally incapable of giving consent, for example in an emergency if you are incapacitated.
Purpose 3: To settle your account
We will use your personal data to ensure that your account and billing is fully accurate and up-to-date
Legal bases for using your personal data
Contract:
- to provide your care and other related services; and
- to fulfil our contract with you for the delivery of your care; and
Legitimate interests: for our legitimate business interest to ensure that we are paid for providing your care which does not overly prejudice you.
Additional legal bases for using your special category personal data
Health or social care: to provide your care; and
Legal claims: establish, exercise or defend our legal claims.
Purpose 4: For internal clinical audit, National Clinical Audit, medical research purposes, and product testing and improvement
Internal clinical audit
There may be a clinical audit of health records, including medical information, carried out by Spire to assess care standards and identify any improvements we could make, or as required by law.
Legal bases for using your personal data
Legal obligation: to comply with our legal or regulatory obligations;
OR
Legitimate interests: for our legitimate business interest in making improvements and we have put appropriate safeguards in place to protect your privacy so that this use does not overly prejudice you.
Additional legal bases for using your special category personal data
Substantial public interest: for reasons of substantial public interest; and
Health or social care: for the management of health or social care systems and services.
National Clinical Audits
We may share your personal data with National Clinical Audits, Clinical Outcome Review Programmes and other national quality improvement projects. We may also share your personal data with other audit programmes set up by professional associations that we think we should participate in.
Legal bases for using your personal data
Legal obligation: to comply with our legal or regulatory obligations;
OR
Legitimate interest: for our legitimate business interest in:
- helping with medical research; and
- making improvements,
and we have put appropriate safeguards in place to protect your privacy so that this use does not overly prejudice you.
OR
Consent: You have given us or the organisation collecting your personal data your consent to use your personal data for this purpose.
Additional legal bases for using your special category personal data
Substantial public interest: for reasons of public interest for statistical and scientific research purposes.
Medical research
We also participate in medical research and may share personal data with ethically approved research projects.
Any published data from these programmes will be in an anonymised, statistical format.
Legal bases for using your personal data
Legitimate interest: for our legitimate business interest in:
- helping with medical research; and
- making improvements,
and we have put appropriate safeguards in place to protect your privacy so that this use does not overly prejudice you.
OR
Consent: You have given us or the organisation collecting your personal data your consent to use your personal data for this purpose.
Additional legal bases for using your special category personal data
Substantial public interest: for reasons of public interest for statistical and scientific research purposes.
Product testing and improvement
We may need to use your medical records to test the quality and effectiveness of new systems that we implement to improve the care and treatment we provide or assist in the management of our clinical services.
Legal bases for using your personal data
Legitimate interests: for our legitimate business interest in making improvements in our systems and services which have been appropriately assessed and where we have put safeguards in place to protect your privacy so that this use does prejudice your privacy rights.
Purpose 5: Disclose information to Private Health Care Information Network (“PHIN”)
Under the Competition and Markets Authority Private Healthcare Market Investigation Order 2014, we are required to provide PHIN with personal data related to your care, including your NHS Number and postcode, the nature of your procedure, the length of your stay in hospital, whether there were any complications, your recovery and improvement post-treatment, and any feedback you gave us as part of the PROMS survey.
PHIN is an organisation who will monitor outcomes of patients who receive private healthcare services, as part of a UK-wide programme to improve the public's access to information on the quality and outcome of private healthcare.
Information about how PHIN uses personal data, including its Privacy Notice, is available at www.phin.org.uk.
Legal bases for using your personal data
Legal obligation: to comply with our legal or regulatory obligations; and
Legitimate interests: for our legitimate business interest to ensure that the quality of and outcomes of patients’ private healthcare is monitored, and where this does not overly prejudice you.
Additional legal bases for using your special category personal data
Substantial public interest: for reasons of substantial public interest; and
Health or social care: for the management of health or social care systems and services.
Purpose 6: Contacting you and resolving queries or complaints
From time to time, patients may raise queries, or even complaints, with us and we take those communications very seriously. We will need to use your personal data to resolve such matters fully and properly.
Legal bases for using your personal data
Contract: to provide your care and other related services; and
Legitimate interests: for our legitimate business interest to ensure our patients’ queries and complaints are answered, which does not overly prejudice you.
Additional legal bases for using your special category personal data
Health or social care: to provide your care; and
Legal claims: to establish, exercise or defend our legal claims.
Purpose 7: Liaising with other healthcare professionals about your care and updating others (such as your emergency contact)
We may need to share your personal data with the individuals that you ask us to update about your care.
Also, other healthcare professionals or organisations may need to know about your care for them to provide you with safe and effective healthcare services, and so we may need to share your personal data with them.
Details on these professionals or organisations are set out in the Third parties section below.
Legal bases for using your personal data
Contract: to provide your care and other related services; and
Legitimate interests: for our legitimate business interest in ensuring that other healthcare professionals who are routinely involved in your healthcare services have a full picture of these services.
Additional legal bases for using your special category personal data
Health or social care: to provide your care
Substantial public interest: for reasons of substantial public interest; and
Legal claims: to establish, exercise or defend our legal claims.
Purpose 8: Investigating and responding to concerns, complaints or claims, complying with our legal or regulatory obligations and defending or exercising our legal rights
We are subject to a wide range of legal and regulatory responsibilities which we cannot list fully here and we may be required by law or by regulators to provide personal data.
We may also have to consider and/or discuss with appropriate third parties your care in the context of concerns over a healthcare professional’s performance or clinical competence.
If we and our healthcare professionals are the subject of legal actions or complaints, then we need to access your personal data to fully investigate and respond to those actions.
Legal bases for using your personal data
Legal obligation: to comply with our legal or regulatory obligations; and
Legitimate interests: for our legitimate interests in ensuring that you, and others, receive safe care and treatment.
Additional legal bases for using your special category personal data
Health or social care: for others to provide informed healthcare services to you;
Health or social care: to provide your care or treatment or the management of health or social care systems; and
Legal claims: to establish, exercise or defend our legal claims.
Purpose 9: Providing improved quality, training and security (for example, recording or monitoring phone calls to our contact numbers) and conducting pre and post treatment surveys
We are a quality-conscious organisation, always looking to learn from our patients’ experiences to improve our services for the purposes of patient safety and quality. We will use your personal data to identify where we can make these improvements, such as by reviewing recorded phone calls to assess whether we can learn any lessons and contacting you to hear your valuable thoughts on the Spire experience.
Legal bases for using your personal data
Legitimate interests: for our legitimate business interest to improve our quality, training and security which does not overly prejudice you.
Additional legal bases for using your special category personal data
Health or social care: to manage the healthcare services we deliver, including carrying out surveys (which are not a form of marketing) in order to identify and carry out any necessary improvements.
Purpose 10: Managing our business: retaining patient records, reviewing CCTV images, maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (eg tax, financial, legal or public relations advice)
We do not need to use your special categories of personal data for this.
Legal bases for using your personal data
Legal obligation: to comply with our legal or regulatory obligations; and
Legitimate interests: for our legitimate business interest in managing our business operations, which does not overly prejudice you.
Additional legal bases for using your special category personal data
Not applicable.
Purpose 11: Advising you of other services offered by Spire and selected third party partners (“Marketing”)
As a business, we need to carry out marketing but we will only send you information about products or services which may be of interest to you and only where you have specifically given us your consent to do so.
We may also provide your personal data to market research agencies to collect your feedback which will be used to develop better products and services for you.
We do not need to use your special categories of personal data for this.
If you no longer wish to receive marketing emails sent by us, you can click on the "unsubscribe" link that appears in all of our emails, otherwise you can always contact our DPO (contact details can be found at the bottom of this document.) to update your contact preferences.
If you no longer wish to receive non-website based marketing information or for us to provide your personal data to market research agencies, please also contact our DPO.
Legal bases for using your personal data
Legitimate interests: We need to use your personal data for our legitimate business interest in marketing our services to our existing patients to increase sales, which does not overly prejudice you; and
Consent: You have given us your consent to use your personal data for this purpose.
Additional legal bases for using your special category personal data
Not applicable.
If we relied on legitimate interests in using your personal data, you can object to us using your personal data for this purpose, and we may have to stop doing so. If you would like to object then please contact our DPO (contact details can be found at the bottom of this page).
Who do we share your information with?
Within the Spire group of companies
We share your personal data with other companies in the Spire group.
Third parties:
We may share your personal data with the third parties listed below:
- a doctor, nurse, carer or any other healthcare professional involved in your care
- other members of support staff involved in your care, like medical secretaries, receptionists and porters
- anyone that you ask us to communicate with or provide as an emergency contact, for example your next of kin or carer
- NHS organisations, including NHS Resolution, NHS England, Department of Health
- Other private sector healthcare providers
- your GP
- your dentist
- your healthcare professional (including their medical secretaries)
- Leicester Diabetes Centre, if you part of our diabetes subscription service
- third parties who assist in the administration of your care, or may be responsible for paying for the cost of your care, such as insurance companies
- third parties acting on your behalf in connection with legal proceedings (including potential medico-legal claims)
- Private Healthcare Information Network (PHIN)
- national and other professional research/audit programmes and registries
- Government bodies, including the Ministry of Defence, the Home Office and HMRC
- our regulators, like the Care Quality Commission, Health Inspectorate Wales and Healthcare Improvement Scotland
- the police and other third parties for the prevention or detection of crime
- our insurers
- debt collection agencies
- credit referencing agencies
- our third party services providers such as IT suppliers, actuaries, auditors, lawyers, marketing agencies, document management providers and tax advisers; and
- selected third parties in connection with any sale, transfer or disposal our business. If you are a patient of a business that has been taken over by us, we will receive your personal information as part of the sale process. Where this happens, you will be informed of this prior to the transfer of data.
If we sell part of our business, then we will need to share your data with the new owner. The transfer of data (this could include your personal data – name, address, contact details, etc along with health data ie appointment bookings, medical notes and medical imaging) will be managed in secure manner, and minimises the disruption to current or previous patients and to ensure that Spire, and the new owner, are able to fully comply with our legal obligations regarding the retention medical records and to ensure continuity of care.
If we share your personal data, we will make sure appropriate protection is in place to protect it in line with data protection laws.
How do we protect your personal data?
We are committed to looking after your personal data and have implemented appropriate physical, technical, and organisational security measures designed to protect against accidental loss and unauthorised access, use, alteration, or disclosure.
In doing so, we comply with UK data protection law, including the Data Protection Act 2018, the EU General Data Protection Regulation and all applicable medical confidentiality guidelines issued by professional bodies including, but not limited to, the General Medical Council and the Nursing and Midwifery Council.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know it. They will only use your personal data on our instructions and they are subject to a duty of confidentiality.
Automated decision making
An automated decision is a decision made by computer without any human input. We will not use automated decision-making in relation to your care or other processes that would have legal or similarly significant effects.
We may, however, use automated-profiling of your personal data to evaluate certain personal things about, for example, your personal preferences, interests and location, to provide more tailored marketing. This could include targeted ads through social media platforms such as Facebook, Twitter, Instagram and LinkedIn.
We safeguard any personal data subject to automated-profiling, particularly by ensuring that any information we share with third party marketing agencies is in an anonymous form so that you cannot be identified. You also have the right to object to automated-profiling (or challenge the outcome), and can do so by contacting our DPO (contact details can be found at the bottom of this page).
For how long do we hold your personal data?
We will only hold your personal data for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice (view a summary of our Retention Policy) and in order to comply with our legal and regulatory obligations. Spire generally keeps personal data about your care for 30 years after you have finished your treatment. If your healthcare professional employs a different retention policy, then it is their responsibility to inform you of this.
If you would like further information regarding the periods for which your personal data will be held, please contact our DPO (contact details can be found at the bottom of this page).
International data transfers
We (or third parties acting on our behalf) may use or hold personal data that we collect about you in countries outside the United Kingdom or the European Economic Area) ("UK/EEA"). Where we transfer your personal data outside of the UK/EEA we take steps to ensure that your personal data is protected.
We will only transfer your personal data outside of the UK/EEA for the purposes set out in this Privacy Notice and to the extent that it is relevant and necessary.
In particular, we may transfer your personal data outside of the UK/EEA to the United States to suppliers of:
- medical devices eg heart monitoring equipment
- bespoke prostheses eg 3D knee prosthesis suppliers
- genomic testing eg we send pathology samples to a lab in the US who genetically map tumours to determine the effectiveness of immunotherapy drugs
If you would like further information regarding the steps we take to safeguard your personal data, please contact our DPO (contact details can be found at the bottom of this page).
Healthcare professionals, and/or their medical secretaries, may use IT services (such as email providers, cloud based storage providers, practice management software and clinical devices) which rely upon, or are backed up by, servers which are based outside of the UK/EEA. If such services are used by healthcare professionals, and/or their medical secretaries, then your personal data will be transferred outside of the UK/EEA. It is that healthcare professional’s responsibility to ensure your personal data is transferred lawfully and securely. This is not a matter for Spire.
Your rights
You have certain rights in relation to your personal data that we hold about you. These include rights to know what personal data we hold about you and how it is used. We will use and hold your personal data in accordance with our obligations and these rights.
You may ask to exercise these rights at any time by contacting our DPO (contact details can be found at the bottom of this page). You will not usually be charged for exercising your rights.
These rights do not always apply in all cases, and we will let you know how we will be able to meet your request. If we cannot meet your request, we will explain why.
If you make a large number of requests or it is not reasonable for us to meet a request then we do not have to respond. Alternatively, we can charge for responding.
The right to access your personal data
You have the right to request details and a copy of the personal data we hold about you and details about how we use it. We must confirm whether we have personal data about you, and we also need to provide you with a copy of your personal data.
We will usually provide you with your personal data in writing, unless you request otherwise. If you have made the request electronically (eg by email) the personal data will be provided to you electronically where possible.
In some cases we may not be able to fully comply with your request, for example if your request involves another person’s personal data and it would not be fair to that person to provide it to you.
The right to rectification
You have the right to have inaccurate personal data about you corrected or removed.
The right to erasure (“right to be forgotten”)
You have the right to request that we delete certain personal data we hold about you. However, there are exceptions to this right. For example, we can refuse to delete your personal data if we need to keep for tasks which are in the public interest, or for establishing, exercising or defending legal claims.
The right to restrict processing
You have the right to ask us to restrict our use your personal data. We do not have to comply with all requests to restrict our use of your personal data. For example, if we need to use it for tasks which are in the public interest or for establishing, exercising or defending legal claims.
The right to data portability
You have the right to ask us to transfer your personal data to you or to someone else in a format that can be read by computer.
The right to object to marketing
You have the right to ask us to stop sending you marketing messages at any time and we must comply with your request.
The right not to be subject to automatic decisions
You have the right to not be subject to automatic decisions (ie decisions that are made about you by computer without any human input) in relation to your care or other processes that have a legal or similarly significant effect on you.
Please see the section on Automated decision making for details about when we may make automatic decisions about you.
If you have been subject to an automated decision and do not agree with the outcome, you can challenge the decision by contacting our DPO (contact details can be found at the bottom of this page).
The right to withdraw consent
You have the right to withdraw any consent you have given us to use your personal data.
The right to object to other uses of your personal data
You have the right to object to us using your personal data in a particular way (such as sharing it with third parties), and we must stop using it in that way unless specific exceptions apply. This includes, for example, if it is necessary to defend a legal claim brought against us, or it is otherwise necessary for the purposes of your ongoing healthcare services.
The Information Commissioner's Office (“ICO”)
You can complain to the ICO if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations.
More information can be found on the ICO website: https://ico.org.uk/
Making a complaint will not affect any other legal rights or remedies that you have.
National Data Opt-Out Programme
The national data opt-out is an NHS Digital service which enables patients receiving NHS funded care to opt-out from the use of their data for anything other than their individual care or treatment, for example research or planning purposes. All healthcare providers (including Spire Healthcare) are required to be compliant with the national data opt-out programme. We comply with this requirement by applying our NHS funded patients' national data opt-outs. You can view or change your national data opt-out choice at any time by using the online service at www.nhs.uk/your-nhs-data-matters or by calling 0300 303 5678. Further information on the national data opt-out programme can be found at https://digital.nhs.uk/services/national-data-opt-out-programme.
External websites
We may from time to time include on our websites links to and from the websites of other organisations. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies and notices before you submit any personal data to these websites.
Our Data Protection Officer and how to contact us
We have a DPO who is responsible for ensuring the Spire group of companies in the section About us comply with their data protection obligations.
Our DPO can be contacted by:
- Telephone: 020 7427 9071
- Email: dataprotection@spirehealthcare.com
- Post: Data Protection Officer, Spire Healthcare, 3 Dorset Rise, London, EC4Y 8EN
If you have any questions about this Privacy Notice or would like to exercise any of your rights set out in this Privacy Notice, please contact our DPO.
Updates to this Privacy Notice
We may update this Privacy Notice from time to time to ensure that it remains accurate.
Read more about our cookie policy.
This Privacy Notice was last updated on 12 July 2022.