We are medneo UK Limited, a company registered in England and Wales. Our company registration number is 11673581 and our registered office is at 10 Upper Berkeley Street, London, United Kingdom, W1H 7PE.
medneo UK Limited is the controller for the personal data which we process.
This privacy notice tells you how we will use your information when you use our service.
Our contact details:
Our postal address: 10 Upper Berkeley Street, London, United Kingdom, W1H 7PE
Telephone: +49 30 814 501 - 600
We have appointed a Data Protection Officer. You can contact our DPO via;
Post: 10 Upper Berkeley Street, London, United Kingdom, W1H 7PE
Please mark the envelope ‘Data Protection Officer’.
Telephone: +44 772 093 7100
What information will we collect about you
At medneo UK Limited, we want to provide you with the highest quality of health care. To do this we must keep records about you.
The records which will hold about you may include:
- Basic details about you, such as address, date of birth, next of kin
- Contact we have had with you such as clinical visits
- Notes and reports about your health
- Details and records about your treatment and care
- Results of x-rays, laboratory test etc
- Relevant information from people who care for you and know you well, such as health professionals and relatives
We collect this information in order to;
- Provide a good basis for all health decisions made by you and care professionals
- Make sure your care is safe and effective, and;
- Work effectively with others providing you with care
You may choose to fund the cost of the services directly or through your Private Medical Insurer. We will therefore hold;
- Information you give us when you make a payment to us, such as card payment information
- Details of your Private Medical Insurer (where applicable)
How we receive your information
We collect information from various sources, including from;
- Other healthcare professionals/organisations who have referred you to medneo UK Limited for a diagnostic test.
- You such as relevant medical history
- Your insurance company such as your authorisation number
How we will use and share your information
We will only share relevant information with individuals/organisations on a need to know basis and in accordance with the law.
The purposes for which we will use and share your information include;
- The provision of safe and efficient care - we will share relevant information in your health record with other staff and organisations that are also involved in your care. This could include other healthcare professionals, Consultants and Radiologists involved in your care and/or the analysis and reporting of diagnostic tests. Some components of direct care may be delivered by non-registered and non-regulated health and social care staff, for example a ‘system administrator’ inputting information from your referral form into our electronic record keeping system.
- Clinical audits to evaluate the clinical performance of the quality of healthcare provided to you
- To manage untoward or adverse incidents to ensure that they do not happen again.
- Communicate with your insurer (where applicable) about your treatment, its necessity and cost.
- To ensure effective information technology, governance support and to investigate and respond to concerns, complaints, litigation and other queries/requests.
- The storage/secure disposal of information in accordance with our policies.
As patients, you will generally have the right to object to the use and disclosure of confidential information that identifies you. If you choose to prohibit information being disclosed to other health professionals involved in providing care, it might mean that the care that can be provided is limited and, in extremely rare circumstances, that it is not possible to offer certain treatment options. You will be informed if your decision about disclosure have implications for the provision of care or treatment.
Sometimes we may be required to share your information without your consent, for example;
- Disclosures in the public interest or to protect the public in order to prevent and support detection, investigation and punishment of a serious crime or to prevent abuse/serious harm
- Legal disclosures for example where we have received a court order instructing us to share information
- To support organisations with regulatory functions such as the CQC, ICO
Retention and disposal of personal data
You can refer to our retention schedule which explains how long we keep key types of records which we hold, including records and documents containing personal data.
This document also shows the lawful basis for processing the information in accordance with the GDPR for each type of record.
Securing your information
We take the upmost care to secure your information. We will only collect and use personal data that is necessary and relevant. We will also ensure it is only accessible to individuals/organisations who have a legitimate need to access your information.
- We ensure that all of our contractors operate under contractual agreements which have appropriate regard to data protection, confidentiality and security
- Any card payments will be processed securely and in accordance with relevant standards
- Anyone working for or on behalf is bound by the Common Law Duty of Confidentiality through employment contracts and/or professional codes of conduct
- We carry out regular auditing of our services to ensure that information is being protected and secured to the appropriate standard
- All of our staff receive regular training on how to handle information confidentially and securely
- Where information is transferred outside the European Economic Area, we will ensure adequate protections are in place, in accordance with data protection law
- We have adopted the Privacy by Design and Default approach and implement appropriate physical and technical security measures to our processes.
Data Protection Impact Assessments
We complete Data Protection Impact Assessments for all processes that are likely to result in a high risk to individuals. Completed Data Protection Impact Assessments can be found here.
Under data protection law, you have a number of rights available to you. These include;
- Your right of access: You have the right to ask us for copies of your personal information
- Your right to rectification: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete
- Your right to be informed: you have the right to be told about the collect and use of your information
- Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances
- Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances
- Your right to object to processing: You have the the right to object to the processing of your personal data in certain circumstances
- Your right to data portability: You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
In most circumstances, you will not be required to pay any charge for exercising your rights. If you make a request, we will respond to you within 28 days. If a situation occurs whereby we need to extend the timeframe or a fee is applicable, we will contact you and provide you with an explanation.
Please contact [insert email address, phone number and or postal address] if you have any queries or wish to exercise a right.
Complaining to the ICO
If you are not happy about the way your information is being handled, you can lodge a complaint with the ICO.
Information Commissioner’s Office
Helpline number: 0303 123 1113
|Record Type||Retention||Personal Data?||Lawful Basis for Processing (Article 6)||Lawful Basis for Processing (Article 9)|
|Adult health records including medical illustration records and scans||8 years||Yes||Legitimate Interests (Private patients); Contract (self-pay patients)||Medical diagnosis, the provision of health or treatment|
|Children’s records||25th or 26th birthday||Yes||Legitimate Interests (Private patients); Contract (self-pay patients)||Medical diagnosis, the provision of health or treatment|
|Cancer/Oncology - the oncology records of any patient||30 years or 8 years after death||Yes||Legitimate Interests (Private patients); Contract (self-pay patients)||Medical diagnosis, the provision of health or treatment|
|Record of long term illness or an illness that may reoccur||30 Years or 8 years after death||Yes||Legitimate Interests (Private patients); Contract (self-pay patients)||Medical diagnosis, the provision of health or treatment|
|Clinical Audit||5 years||Stored in a non-identifiable format||Stored in a non-identifiable format||Stored in a non-identifiable format|
|Referrals not accepted||2 years||Yes||Legitimate Interests (Private patients); Contract (self-pay patients)||Medical diagnosis, the provision of health or treatment|
|Incidents (serious)||20 years||Yes||Legal obligation||Management of healthcare systems and services|
|Incidents (not serious)||10 years||Yes||Legal obligation||Management of healthcare systems and services|
|Financial records of transactions||6 years||Yes||Legal obligation||n/a|
|Complaints||10 years||Yes||Legal obligation||Management of healthcare systems and services|
|Litigation records||10 years||Yes||Legal obligation||Management of healthcare systems and services|
|Subject Access Request (SAR) and disclosure correspondence||3 years||Yes||Legal obligation||Management of healthcare systems and services|
|Subject Access Request where there has been a subsequent appeal||6 years||Yes||Legal obligation||Management of healthcare systems and services|
Data Protection Impact Assessments
It has not been necessary for medneo UK Limited to complete any Data Protection Impact Assessments to date. When these are required, information will be provided below.
|Description of Processing Activity||Summary of Actions Implemented to Minimise Data Protection Risks||Date Completed||Review Date|
Date: April 2019