1. Introduction

 

This notice is designed to inform you of the type of information that I collect and hold about you in the course of providing you with private medical care.  It will also tell you what I do with the information I collect, how I will look after it and with whom I might share it.  It covers information I collect directly from you or which I may receive from other individuals or organisations.

This Privacy Notice also sets out your rights in respect of your personal information, and how to exercise them. You can, for instance, seek access to your medical information, object to particular ways your information may be used and you can request rectification of any information which is inaccurate or the deletion of information which is no longer required (subject to certain exceptions). 

This Privacy Notice does not provide exhaustive detail. However, I am happy to provide any additional information or explanation as needed.  If you would like further information about any of the matters in this Privacy Notice or have any other questions about how I collect, store or use your personal information, please contact me using the details below.

 

If you would like this notice in another format, such as Braille, audiotape, large print or another language, please contact me, again, using the contact details on my website and correspondence.

​

2. Who I am and what I do 

 

In this Privacy Notice the use of “I” “me” or “mine” refers to your treating clinician Mr Ilias Nikolopoulos and will also include the actions of any Medical Secretary or other staff acting under my instruction.

 

Under the terms of the EU General Data Protection Regulation (GDPR), I am known as a “Data Controller” and a “Data Processor”.  This means that I am legally responsible for ensuring that all personal information that I process about you is done in compliance with data protection laws.  All Data Controllers must notify the Information Commissioner’s Office of all personal information processing activities. My registration number isZA295907and my entry can be found in the Data Protection Register on the Information Commissioner’s Office website.

​

3. How to contact me

 

If you have any queries or concerns about how I handle your personal information or about the content of this Privacy Notice, please contact me by:

 

• Telephone: 01159662142

• E-mail:  dawn.brown@bmihealthcare.co.uk

• Post:  BMI The Park Hospital, Sherwood Lodge Drive, Arnold, NG5 8RX

​

4. How I work

 

I will provide your treatment from BMI The Park Hospital and consequently, there may be occasions when it is necessary for BMI The Park Hospital to also process your personal data (for example, when admitting you to the hospital for treatment or when arranging nursing or additional care and treatment).  Your information will only be processed as required by the Data Protection laws of the UK.  Where this does become necessary, BMI The Park Hospital will become a joint Data Controller in respect of your personal information and they will provide you with a copy of their own Privacy Notice at that point, which sets out how they will manage your personal information.  

 

5. Personal Information I hold about you

 

When I refer to “personal data” in this policy, this refers to information that can or has the potential to identify you as an individual.  When I refer to ‘processing’ your personal information, this covers any use of your personal information, including but not limited to accessing, storing and disseminating information.  I may also use “special categories of personal information” about you, which could include information relating to your physical and mental health. 

 

When you request treatment from me and become my patient, the personal informationI may then need to hold about you may include the following:

​

• Name

• Contact details, such as postal address, email address and telephone numbers

• Financial information, such as credit card details used to pay us

• Occupation

• NHS Number

• Family details including next of kin

• GP and referral details

• Visual images, for example CCTV images as part of building security 

• Responses to surveys or questionnaires

• Correspondence relating to a complaint or claim

• Your specific information requirements

​

 

Special categories of information relating to your medical treatment must be handled even more sensitively than your personal information. The special categories of personal information I may hold and process about you may include the following:

 

• Details of your current or former physical or mental health. This may include information about any healthcare you have received (both from me directly and other healthcare providers such as your GP or hospitals (private and/or NHS)) and details of medicines previously and currently taken.

• Details of other services you have received from me

• Details of your lifestyle and social circumstances

• Details of your nationality, race and/or ethnicity

• Details of your religion

• Details of any genetic data or biometric data relating to you

• Data concerning your sex life and/or sexual orientation.

​

6. How I collect your information

 

There are a number of ways in which I may collect your personal information.  It may be collected directly from you when:

 

• You enter into a contract with me for the provision of healthcare services

• You use those services

• You correspond with me by letter, email, telephone or social media 

• You complete enquiry forms on my website. 

 

In order to provide you with the best treatment possible, I may need to collect your medical records including information about any diagnosis, clinic and hospital visits and medicines administered.  This information may be provided by other individuals and organisations, including: 

 

• GPs

• Hospitals, both NHS and private

• Commissioners of healthcare services

• Other Private providers of healthcare (including their medical secretaries).

 

Information about you may also be provided to me from other sources as relevant to your treatment.  These third parties may include:

 

• Your insurance policy provider 

• Your current or former employer 

• Your family

• External medical experts 

• NHS health service bodies

• Credit reference agencies

• Debt collection agencies

• Government agencies, including the Ministry of Defence, the Home Office and HMRC.

​

7. How I will protect your privacy

 

I am committed to protecting your privacy and will only process personal information in accordance with theEU General Data Protection Regulation, the Human Rights Act 1998 and the common law duty of confidentiality. 

 

All information that I hold about you will be held securely and confidentially.  I use clear administrative and technical controls to do this.  Both I and any staff working for me have undertaken appropriate levels of Information Governance training to ensure that we have the correct skills and understanding to look after any information you provide to the highest standards of confidentiality and security.  Additionally, all staff at BMI The Park Hospital, any contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. 

 

I will only ever use the minimum amount of information necessary about you to provide you with treatment and healthcare.  Wherever possible, I will use information that does not directly identify you, however, where it is necessary for me to know or use personal information about you, I will only do this where I have an appropriate legal justification for doing so.  

 

Where my staff or the staff of BMI The Park Hospital need to access your clinical record (for example, my secretary will need to see your record in the process of typing up correspondence or where medical queries are being followed up) they will only access the necessary information and will follow the strictest rules of confidentiality and data protection.  My medical secretary/secretaries Dawn Brown are required to sign a confidentiality agreement and are bound by their contract of employment which does not allow them to disclose any information about your health care to anyone unless it is with another clinical team for the purpose of your health care.  

 

I will not divulge your record to any other patients or family members, except in the case of children under 12, where applicable, unless you give me permission to do so.  Some patients do prefer a family member or friend to act on their behalf. If you wish for someone else to act on your behalf please me know and I will make arrangements with you for this to take place.  You can withdraw this consent at any time but you must let me know immediately if you no longer wish for me to discuss your health with the nominated person.

 

8. How I will communicate with you

 

I need to communicate with you in order to provide you with healthcare services.  I or my secretary may contact you by telephone, SMS, email, and/or post.

 

In order to provide you with timely updates and reminders in relation to your healthcare, I may communicate with you by telephone, SMS and/or email (where you have provided me with your telephone number and/or email address). 

 

To provide you with your medical information (including test results and other clinical updates) and/or invoicing information, I may communicate with you by email where you have provided your email address and where you have agreed to this form of communication for medical matters.

 

If you have stated a preference to be communicated with about your health care or treatment via a particular method, I will not be relying on your consent to process your data in this way.  As set out in Schedule 1 below, the processing of your personal data for these purposes is justified on the basis that it is necessary to fulfill my contract with you for the provision of healthcare services.

​

9. Surveys and Marketing

 

Where you provide me with your mobile number or your email address I may use one or both of these to contact you regarding patient surveys (which I may conduct or which may be undertaken by any professional bodies of which I am a member, for example, Quality of Life questionnaires following surgery for the purpose of improving my service and monitoring patient outcomes.  I will only contact you in this way if you have provided your consent for me to do so. You have a right to decide not to consent to such contact and it will not affect your care should you choose to do so. You will be able to unsubscribe from receiving such requests at any time without having to give a reason.

 

10. With whom I share your information

 

In certain situations, I may share data about relevant aspects of your healthcare record within other clinicians or with third parties such as your GP, NHS Hospital, BMI The Park Hospital and/or your Medical Insurance Provider.

 

Specifically, I may disclose your information to the third parties listed below for the purposes described in Schedule 1 of this Privacy Notice. They may include:

 

• A doctor, nurse  or any other healthcare professional involved in your treatment

• Other members of BMI The Park Hospital staff involved in the delivery of your care, such as receptionists and porters

• Emergency contacts, for example your next of kin or carer

• NHS organisations

• Other private sector healthcare providers

• Your GP

• Another private provider of medical care or treatment to you (including their medical secretaries) 

• Third parties who assist in the administration of your healthcare, such as insurance companies

• The Private Healthcare Information Network (See Schedule 1 for more details on this)

• National and other professional research and audit programmes, as detailed in Schedule 1

• Government bodies, including the Ministry of Defence, the Home Office and HMRC

• Regulators of healthcare such as the Care Quality Commission

• The police and other third parties where reasonably necessary for the prevention or detection of crime

• My insurers

• Debt collection agencies

• Credit referencing agencies

• Any third party services providers such as IT suppliers

• Selected third parties in connection with any sale, transfer or disposal of my business

• Anyone else with whom you ask us to communicate.

 

I may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone.

 

I will not otherwise share, sell or distribute any of your personal information to any third party without your consent, unless required by law. Data collected will not be sent to countries where the laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with the requirements of the EU General Data Protection Act.

 

You may wish me to share health information held about you with others for purposes other than your care. This could include with insurance companies, a medical report for a mortgage, life insurance, for immigration purposes, with a solicitor representing you in a personal injury claim.  In such cases this will only be done with your signed and explicit consent. I will only share the minimum agreed information.

​

11. International data transfers

 

I (or third parties acting on my behalf) may store or process information that I collect about you in countries outside the European Economic Area ("EEA"). Under the EU General Data Protection Regulation (GDPR), companies transferring information outside of the EEA must ensure that such transfers are subject to appropriate safeguards to ensure an adequate level of data protection.  Where I make a transfer of your personal information to a country outside the EEA, I will take the required steps to ensure that your personal information is protected.

 

I may transfer your personal data outside of the EEA to the following specific types of third party:

 

• Medical administration services

• Suppliers of medical devices 

 

Where I do use such organisations, I have undertaken a privacy impact assessment to ensure this process is safe and meets data protection requirements under the relevant laws.

 

If you would like further information regarding the steps I take to safeguard your personal information, please contact me outlined in Section 3. 

 

12. How long I will keep your personal information

 

I will only keep your personal information for as long as reasonably necessary to undertake your care and to comply with my legal and regulatory obligations. If you would like further information regarding the periods for which your personal information will be stored, please contact me as outlined in Section 3.

​

13. For what purposes I will use your information

 

I may 'process' your information for a number of different purposes.  The law requires me to have a legal justification for processing your data. The particular justification will depend on the proposed use of your data.  When the information I process is classed as “special category of personal information”, I must have a specific additional legal justification in order to process your data.

 

I will rely on the following legal justifications for processing your personal data: 

 

• Taking steps at your request so that you can enter into a contract with me to receive treatment and/or healthcare services.

• For the purposes of providing you with healthcare pursuant to a contract between us. 

• I have an appropriate business need to process your personal information and such business need does not cause harm to you.   Under the law this is called a ‘legitimate interest’.

• I have a legal or regulatory obligation to use such personal information.

• I need to use your personal information to establish, exercise or defend my legal

rights.

• You have provided your consent to my use of your personal information.

 

You will find details of the legal justifications for each of my processing activities in Schedule 1 of this Privacy Notice.

 

14. What rights you have under the law with regard to your personal information

 

Under data protection law you have certain rights in relation to the personal information that I hold about you. These include the right to know what information I hold about you and how it is used.  You may exercise these rights at any time by contacting me as outlined in Section 3.  

 

There will not usually be a charge for handling a request to exercise your rights.  If I cannot comply with your request to exercise your rights I will usually tell you why.   There are some special rules about how these rights apply to health information as set out in the relevant legislation.

 

If you make a large number of requests or it is clear that it is not reasonable for me to comply with a request then I do not have to respond or I can charge you for responding.

 

Your rights include:

 

• The right to access your personal information

You are entitled to a copy of the personal information I hold about you and details about how I use it.  Please note that in some cases I may not be able to fully comply with your request, for example if your request involves the personal data of another person and it would not be fair to that person to provide it to you.  

 

• The right to restriction of processing

In some circumstances, you can ask me to suspend the use of your personal data.  Sometimes I won’t be able to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

 

• The right to data portability

You can ask me to transfer your personal information to you or to another individual or organisation. The information must be transferred in an electronic format.

 

• The right to object to processing

You can ask to us to stop processing your information where we are relying on legitimate interests as the legal ground for processing (when we refer to ‘legitimate interests’, this means that we have an appropriate business need to process your personal information and this business need does not cause harm to you).

 

• The right not to be subject to automatic decisions 

You have a right to not be subject decisions that are made about you by computer alone.   I do not carry out any automated decision-making in relation to your treatment. 

 

• The right to withdraw consent

In some cases i need your consent in order to use your personal information to

comply with data protection legislation.   Schedule 1 sets out instances where I will rely on your consent for the purpose of processing your personal information.  You have the right to withdraw your consent at any time. You can do this by contacting me as outlined in Section 3.  

 

• The right to complain to the Information Commissioner's Office

You can complain to the Information Commissioner's Office if you are unhappy with the way that I have managed any of your rights above, or if you think I have not complied with my legal obligations. More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/.  Making a complaint will not affect any other legal rights or remedies that you have.

 

15. When this Privacy Notice will be updated

​

I may update this Privacy Notice from time to time to ensure that it remains accurate. If these changes result from any material difference to the manner in which I process your personal data then I will provide you with an updated copy of the Policy. This Privacy Notice was last updated on 25thof May 2018.

​

16. How you may make a ccomplaint or enquiry

 

I aim to meet the highest standards when collecting and using personal information.  For this reason, I take any complaints I receive very seriously.  I encourage you to bring concerns to my attention if you think that my collection or use of information is unfair, misleading or inappropriate. I would also welcome any suggestions for improving my procedures. You can contact me regarding any complaints or questions as outlined in Section 3.

​

​

SCHEDULE 1
ABOUT THE INFORMATION I COLLECT AND HOLD

​

In the table below I have set out the individual purposes for which I will process your personal information and the legal justification for doing so.  In most instances, I am also required to identify an additional legal justification where I am processing special categories of personal information (eg. medical information).  Beside each legal justification, I have cited the relevant article of the EU General Data Protection Regulations (GDPR).