We are medneo UK Limited, a company registered in England and Wales. Our company registration number is 11673581 and our registered office is at 10 Upper Berkeley Street, London, United Kingdom, W1H 7PE.

medneo UK Limited is the controller for the personal data which we process.

This privacy notice tells you how we will use your information when you use our service.

 

Our contact details:

     Our postal address: 10 Upper Berkeley Street, London, United Kingdom, W1H 7PE

     Telephone: +49 30 814 501 - 600

 

We have appointed a Data Protection Officer. You can contact our DPO via;

     Post: 10 Upper Berkeley Street, London, United Kingdom, W1H 7PE

     Please mark the envelope ‘Data Protection Officer’.

     Telephone: +44 772 093 7100

     Email: dpo-uk@medneo.com

 

What information will we collect about you

At medneo UK Limited, we want to provide you with the highest quality of health care. To do this we must keep records about you.

 

The records which will hold about you may include:

  • Basic details about you, such as address, date of birth, next of kin
  • Contact we have had with you such as clinical visits
  • Notes and reports about your health
  • Details and records about your treatment and care
  • Results of x-rays, laboratory test etc
  • Relevant information from people who care for you and know you well, such as health professionals and relatives

 

We collect this information in order to;

  • Provide a good basis for all health decisions made by you and care professionals
  • Make sure your care is safe and effective, and;
  • Work effectively with others providing you with care

 

You may choose to fund the cost of the services directly or through your Private Medical Insurer. We will therefore hold;

  • Information you give us when you make a payment to us, such as card payment information
  • Details of your Private Medical Insurer (where applicable)

 

How we receive your information

We collect information from various sources, including from;

  • Other healthcare professionals/organisations who have referred you to medneo UK Limited for a diagnostic test.
  • You such as relevant medical history
  • Your insurance company such as your authorisation number

 

How we will use and share your information

We will only share relevant information with individuals/organisations on a need to know basis and in accordance with the law.

 

The purposes for which we will use and share your information include;

  • The provision of safe and efficient care - we will share relevant information in your health record with other staff and organisations that are also involved in your care. This could include other healthcare professionals, Consultants and Radiologists involved in your care and/or the analysis and reporting of diagnostic tests. Some components of direct care may be delivered by non-registered and non-regulated health and social care staff, for example a ‘system administrator’ inputting information from your referral form into our electronic record keeping system.
  • Clinical audits to evaluate the clinical performance of the quality of healthcare provided to you
  • To manage untoward or adverse incidents to ensure that they do not happen again.
  • Communicate with your insurer (where applicable) about your treatment, its necessity and cost.
  • To ensure effective information technology, governance support and to investigate and respond to concerns, complaints, litigation and other queries/requests.
  • The storage/secure disposal of information in accordance with our policies.

 

As patients, you will generally have the right to object to the use and disclosure of confidential information that identifies you. If you choose to prohibit information being disclosed to other health professionals involved in providing care, it might mean that the care that can be provided is limited and, in extremely rare circumstances, that it is not possible to offer certain treatment options. You will be informed if your decision about disclosure have implications for the provision of care or treatment.

 

Sometimes we may be required to share your information without your consent, for example;

  • Disclosures in the public interest or to protect the public in order to prevent and support detection, investigation and punishment of a serious crime or to prevent abuse/serious harm
  • Legal disclosures for example where we have received a court order instructing us to share information
  • To support organisations with regulatory functions such as the CQC, ICO

 

Retention and disposal of personal data

You can refer to our retention schedule which explains how long we keep key types of records which we hold, including records and documents containing personal data.

This document also shows the lawful basis for processing the information in accordance with the GDPR for each type of record.

 

Securing your information

We take the upmost care to secure your information. We will only collect and use personal data that is necessary and relevant. We will also ensure it is only accessible to individuals/organisations who have a legitimate need to access your information.

 

In addition;

  • We ensure that all of our contractors operate under contractual agreements which have appropriate regard to data protection, confidentiality and security
  • Any card payments will be processed securely and in accordance with relevant standards
  • Anyone working for or on behalf is bound by the Common Law Duty of Confidentiality through employment contracts and/or professional codes of conduct
  • We carry out regular auditing of our services to ensure that information is being protected and secured to the appropriate standard
  • All of our staff receive regular training on how to handle information confidentially and securely
  • Where information is transferred outside the European Economic Area, we will ensure adequate protections are in place, in accordance with data protection law
  • We have adopted the Privacy by Design and Default approach and implement appropriate physical and technical security measures to our processes.

 

Data Protection Impact Assessments

We complete Data Protection Impact Assessments for all processes that are likely to result in a high risk to individuals. Completed Data Protection Impact Assessments can be found here.

 

Your Rights

Under data protection law, you have a number of rights available to you. These include;

  • Your right of access: You have the right to ask us for copies of your personal information
  • Your right to rectification: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete
  • Your right to be informed: you have the right to be told about the collect and use of your information
  • Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances
  • Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances
  • Your right to object to processing: You have the the right to object to the processing of your personal data in certain circumstances
  • Your right to data portability: You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.

 

In most circumstances, you will not be required to pay any charge for exercising your rights. If you make a request, we will respond to you within 28 days. If a situation occurs whereby we need to extend the timeframe or a fee is applicable, we will contact you and provide you with an explanation.

Please contact [insert email address, phone number and or postal address] if you have any queries or wish to exercise a right.

 

Complaining to the ICO

If you are not happy about the way your information is being handled, you can lodge a complaint with the ICO.

 

Information Commissioner’s Office

    Wycliffe House

    Water Lane

    Wilmslow

    Cheshire

    SK9 5AF

 

Helpline number: 0303 123 1113

https://ico.org.uk/make-a-complaint/

Record Type Retention Personal Data? Lawful Basis for Processing (Article 6) Lawful Basis for Processing (Article 9)
Adult health records including medical illustration records and scans 8 years Yes Legitimate Interests (Private patients); Contract (self-pay patients) Medical diagnosis, the provision of health or treatment
Children’s records 25th or 26th birthday Yes Legitimate Interests (Private patients); Contract (self-pay patients) Medical diagnosis, the provision of health or treatment
Cancer/Oncology - the oncology records of any patient 30 years or 8 years after death Yes Legitimate Interests (Private patients); Contract (self-pay patients) Medical diagnosis, the provision of health or treatment
Record of long term illness or an illness that may reoccur 30 Years or 8 years after death Yes Legitimate Interests (Private patients); Contract (self-pay patients) Medical diagnosis, the provision of health or treatment
Clinical Audit 5 years Stored in a non-identifiable format Stored in a non-identifiable format Stored in a non-identifiable format
Referrals not accepted 2 years Yes Legitimate Interests (Private patients); Contract (self-pay patients) Medical diagnosis, the provision of health or treatment
Incidents (serious) 20 years Yes Legal obligation Management of healthcare systems and services
Incidents (not serious) 10 years Yes Legal obligation Management of healthcare systems and services
Financial records of transactions 6 years Yes Legal obligation n/a
Complaints 10 years Yes Legal obligation Management of healthcare systems and services
Litigation records 10 years Yes Legal obligation Management of healthcare systems and services
Subject Access Request (SAR) and disclosure correspondence 3 years Yes Legal obligation Management of healthcare systems and services
Subject Access Request where there has been a subsequent appeal 6 years Yes Legal obligation Management of healthcare systems and services

 

Data Protection Impact Assessments

It has not been necessary for medneo UK Limited to complete any Data Protection Impact Assessments to date. When these are required, information will be provided below.

Description of Processing Activity Summary of Actions Implemented to Minimise Data Protection Risks Date Completed Review Date
       
       

Date: April 2019