Introduction

Amethyst UK (“Amethyst”, “we”, “us”, or “our”) is strongly committed to protecting personal data and ensuring that we are compliant with legislation including the General Data Protection Regulation (UK GDPR) and the UK’s Data Protection Act 2018 (DPA).

This privacy statement describes why and how we collect and use personal data and provides information about individuals’ rights. It applies to personal data provided to us, both by individuals themselves or by others. We may use personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.

Personal data is any information relating to an identified or identifiable living person.  Amethyst processes personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.

When collecting and using personal data, our policy is to be transparent about why and how we process personal data. To find out more about our specific processing activities, please go to the relevant sections of this statement by clicking the boxes below.

We may process your information for a number of different purposes but must have a legal justification to do so. The particular justification will depend on the purpose of the proposed use of your data. When the information that we process is classed as “special category of personal information”, we must have a specific additional legal justification in order to use it as proposed. You will find details of our legal grounds for each of our processing purposes in the relevant section below.

We retain the personal data processed by us for as long as it is lawful for us to do so according to the purpose for which it was collected (including as required by applicable law or regulation).

Data Subjects

2.1. Patients

NHS Patients

Amethyst works in close partnership with the University College London Hospitals NHS Foundation Trust (UCLH) / Sheffield Hallamshire Teaching Hospitals NHS Foundation Trust (SHTT). To provide NHS patients with Gamma Knife radiosurgery treatment we confidentially process personal information on behalf of UCLH / SHTT (the data controllers) in accordance with their specifications and requirements. Patient notes are shared between both parties to ensure a full and accurate record of the treatment. In addition, personal data may be used for administrative purposes including.

  • waiting list management
  • performance against national targets
  • activity monitoring
  • local clinical audit
  • production of datasets to submit for commissioning purposes and national collections

All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the common law duty of confidence and UK GDPR. Personal data on patients is processed for the performance of a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e) and for medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems).

Private Patients

As a patient of Amethyst, your treatment will be provided by a clinician who is a medical practitioner. For ease of reference, we refer to them simply as ‘clinicians’ throughout this Privacy Notice. Those clinicians make decisions about what information is collected about you and may maintain their own set of medical records in relation to the treatment that they provide. They are a Data Controller in respect of your personal information which they hold within those records, meaning that they must comply with the data protection legislation and relevant guidance when handling your personal information. We act as a data processor on behalf of the clinicians. To the extent relevant to the clinician’s practice, you can expect them (including their medical secretaries) to handle your information in line with this Privacy Notice. This includes using your personal information as set out in more detail below.

2.1.1. What personal information do we collect and use from patients?

We will use “special categories of personal information” (otherwise known as “special categories of data”) as we need to use information about your health in order to treat you.

The personal information we hold about you may include the following:

  • Name
  • Contact details, such as postal address, email address and telephone number
  • Financial information, such as credit card and medical insurance details used to pay us
  • Occupation
  • Emergency contact details, including next of kin
  • Background referral details
  • Sometimes (it will be clear when) we may use a photo

The special categories of personal information we hold about you may include the following:

  • Details of your current or former physical or mental health. This may include information about any healthcare you have received (both from QSRC directly and other healthcare providers such as GPs, hospitals (private and/or NHS) or need, including about clinic and hospital visits and medicines administered.
  • Details of services you have received from us
  • Details of your nationality, race and/or ethnicity
  • Details of your religion
  • Details of any genetic data or biometric data relating to you

The confidentiality of your medical information is important to us. We make every effort to prevent unauthorised access to and use of information relating to your health. In doing so,  Amethyst complies with UK data protection law, including the Data Protection Act 2018 and UK GDPR, and all applicable medical confidentiality guidelines issued by professional bodies including, but not limited to, the General Medical Council.

2.1.2. How do we collect your information?

We may collect personal information from a number of different sources including, but not limited to

From other healthcare organisations

Our patients will usually receive healthcare from other organisations, and so in order to provide you with the best treatment possible we may have to collect personal information about you from other organisations. These may include:

  • Medical records from UCLH / SHTT
  • Medical records from your GP
  • Medical records from your clinician (including their medical secretaries)
  • Medical records from other private healthcare organisation

Medical records include information about your diagnosis, clinic and hospital visits and medicines administered.

From third parties

As detailed in the previous section, it is often necessary to seek information from other healthcare organisations. We may also collect information about you from third parties when:

  • You are referred to us for the provision of services including healthcare services
  • We liaise with your family
  • We liaise with your insurance policy provider
  • We deal with experts (including medical experts) and other service providers about services you have received or are receiving from us
  • We liaise with your current or former employer, health professional or other treatment or benefit provider
2.1.3. What are the purposes for which your information is used?

We may process your information for a number of different purposes but must have a legal justification to do so. The particular justification will depend on the purpose of the proposed use of your data. When the information that we process is classed as “special category of personal information”, we must have a specific additional legal justification in order to use it as proposed.

Generally, we will rely on the following legal justifications,

  • for the performance of a task carried out in the public interest or in the exercise of official authority and for medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
  • For the purposes of providing you with healthcare. We will rely on this for activities such as supporting your medical treatment or care and other benefits, supporting your doctor, nurse, carer or other healthcare professional and providing other services to you.
  • We have an appropriate business need to process your personal information and such business need does not cause harm to you. We will rely on this for activities such as quality assurance, maintaining our business records, developing and improving our products and services and monitoring outcomes.
  • We have a legal or regulatory obligation to use such personal information.
  • We need to use such personal information to establish, exercise or defend our legal rights.
  • You have provided your consent to our use of your personal information.

You will find details of our legal grounds for each of our processing purposes below. We have set out individually those purposes for which we will use your personal information, and under each one we set out the legal justifications, as well as an ‘additional’ legal ground for special categories of personal information. This is because we have to demonstrate additional legal grounds where we are using information which relates to a person’s healthcare, as we will be the majority of the times we use your personal information.

Purpose 1: To provide you with healthcare and related services

Clearly, the reason you come to us is to provide you with healthcare, and so we have to use your personal information for that.

Legal grounds:

Providing you with healthcare and related services

Additional legal grounds for special categories of personal information:

We need to use the data in order to provide healthcare services to you

The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent

Purpose 2: For clinical audit/research purposes

Clinical audit

Amethyst may process your personal data for the purposes of local clinical audit – i.e. an audit carried by the clinical team for the purposes of assessing outcomes for patients and identifying improvements which could be made for the future. We are allowed on the basis of a legitimate interest and the public interest in statistical and scientific research, and with appropriate safeguards in place. You are, however, entitled to object to us using your personal data for this purpose, and as a result of which we would need to stop doing so. If you would like to raise such an objection then please contact us.

Clinical research

Amethyst is committed to research and dissemination of knowledge. Research is a key focus and the trials we are currently designing and conducting will provide invaluable data to optimise the methods currently used to plan and deliver Gamma Knife Radiosurgery as well as to assess its effectiveness and safety.

We will share your personal data only to the extent that it is necessary to do so in assisting research and as permitted by law. Some research projects and/or registries have received statutory approval such that consent may not be required in order to use your personal data. In those circumstances, your personal data will be shared on the basis that:

Legal grounds:

We have a legitimate interest in helping with medical research and have put appropriate safeguards in place to protect your privacy

Additional legal grounds for special categories of personal information:

The processing is necessary in the public interest for statistical and scientific research purposes

In the event that consent is required we will request this from you which you may decline. You also have the right to object to us processing your information in this way. Please contact us (see details below) should you wish to exercise this right.

Purpose 3: Communicating with any other individual that you ask us to update about your care and updating other healthcare professionals about your care.

In addition, other healthcare professionals or organisations may need to know about your treatment in order for them to provide you with safe and effective care, and so we may need to share your personal information with them.

Legal grounds:

Our providing you with healthcare and other related services

We rely on the lawful basis of contract to ensure that other healthcare professionals who are routinely involved in your care have a full picture of your treatment

Additional legal ground for special categories of personal information:

We need to use the data in order to provide healthcare services to you

The use is necessary for reasons of substantial public interest under UK law

The use is necessary in order for us to establish, exercise or defend our legal rights

If you are a private or self-funding patient, as part of a UK-wide programme to improve the public’s access to information on the quality and outcome of private healthcare, we may share some of your personal data (NHS Number in England and Wales, CHI Number in Scotland or Health and Care Number in Northern Ireland) with The Private Healthcare Information Network (PHIN). PHIN then sends this Number to the relevant national information authority (for example NHS Digital in England) which links it to national hospital data and mortality data. The linked information, with your personal data removed, is then provided to PHIN to measure quality of care, check for adverse events after discharge, such as unplanned readmissions to hospital, emergency transfers between hospitals, or deaths following treatment. Additionally, the records we send to PHIN will include your postcode to enable statistical processing. PHIN, like us, will apply the highest standards of confidentiality to personal information in accordance with data protection laws and the duty of confidentiality. Any information that is published by PHIN will always be in anonymised statistical form and will not be shared or analysed for any purpose other than those stated. Further information about how PHIN uses information, including its Privacy Notice, is available at phin.org.uk.

Purpose 4: Communicating with you and resolving any concerns or complaints that you might have.

From time to time, patients may raise concerns, or even complaints and we take those communications very seriously. It is important that we resolve such matters fully and properly, and so we will need to use your personal information in order to do so.

Legal grounds:

Our providing you with healthcare and other related services

Our having an appropriate business need to use your information which does not overly prejudice you

Additional legal grounds for special categories of personal information:

The use is necessary for the provision of healthcare or treatment pursuant to a contract with a health professional

The use is necessary in order for us to establish, exercise or defend our legal rights

Purpose 5: For account settlement purposes (Private patients)

We will use your personal information in order to ensure that your account and billing is fully accurate and up-to-date

Legal grounds:

Our providing you healthcare and other related services

Our having an appropriate business need to use your information which does not overly prejudice you

Additional legal grounds for special categories of personal information:

We need to use the data in order to provide healthcare services to you

The use is necessary in order for us to establish, exercise or defend our legal rights

Purpose 6: Complying with our legal or regulatory obligations, and defending or exercising our legal rights

As a provider of healthcare, we are subject to a wide range of legal and regulatory responsibilities which is not possible to list fully here. We may be required by law or by regulators to provide personal information, and in which case we will have a legal responsibility to do so. From time to time, Amethyst and its clinicians may also be the subject of complaints or legal actions and in order to fully investigate and respond to those actions, it is necessary to access your personal information (although only to the extent that it is necessary and relevant to the subject-matter).

Legal grounds:

The use is necessary in order for us to comply with our legal obligations

Additional legal ground for special categories of personal information:

We need to use the data in order for others to provide informed healthcare services to you

The use is necessary for reasons of the provision of health or social care or treatment or the management of health or social care systems

The use is necessary for establishing, exercising or defending legal claims

Purpose 7: Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice and marketing

In order to do this, we will not need to use your special categories of personal information and so we have not identified the additional ground to use your information for this purpose.

Legal grounds:

Our having an appropriate business need to use your information which does not overly prejudice you

Our use of photos:

From time to time we may take photos, with your permission, that we wish to use for marketing purposes. If we use your photo and where you are identifiable, we will always ask your permission for us to do so.

However, you should note that once the image is in the public domain, we have no control over who may download the photo or re-use it (e.g. newspapers, social media posts, other websites, etc.). As we will not necessarily know whether someone has re-used the image, there is an element of “loss of control” of the image, which means that should you ask us to delete the photo, we will only be able to delete it from our own website and stop using it. It may also be difficult for us to remove any past posts to our social media channels that include your photo.

Purpose 8: For training and internal quality controls

We may record our calls with you, typically this will be when booking appointments and also means that depending on the nature of the call, we may record your personal data including special category (health) data.

It will be made clear to you if you’re on a call that is being recorded. If we do record your call it will be used solely for the purposes of training and quality controls for our employees. You can ask us not to record the call at any time, and we will only keep the recording for up to 3 months, unless it is needed as part of an ongoing employee investigation.

Legal grounds:

We have a legitimate business interest to ensure you are receiving the best service

Additional legal ground for special categories of personal information:

The use is necessary for reasons of the provision of health or social care or treatment or the management of health or social care systems

Purpose 9: For your and our employees’ safety

In some of our centres we may utilise CCTV for the protection and safety of our employees and patients. This means that where you see signs CCTV is in operation and the CCTV may be recording your image.

Legal grounds:

We have a legitimate business interest to ensure you and our employees are protected.

2.1.4. How long do we keep personal information for?

We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations. We will always delete or anonymise personal data when we no longer need it.

2.1.5. How will we communicate with you?

In order to communicate with you, we are likely to do this by telephone (including mobile), email, and/or post. If we contact you using the telephone number(s) which you have provided (landline and/or mobile), and you are not available which results in the call being directed to a voicemail and/or answering service, we may leave a voice message on your voicemail and/or answering service as appropriate.

We will contact you to arrange pre-treatment, treatment and follow up appointments

We may contact you regarding patient surveys by post which are for the purpose of improving our service or monitoring outcomes and are not a form of marketing

Please note that although providing your mobile number and email address and stating a preference to be communicated by a particular method will be taken as an affirmative confirmation that you are happy for us to contact you in that manner, we are not relying on your consent to process your personal data in order to correspond with you about your treatment. Processing your personal data for those purposes is justified on the basis that it is necessary to provide you with healthcare services.

2.1.6. Surveys

We may ask you to complete a patient feedback questionnaire regarding the treatment provided to you. The survey will largely be electronic on treatment day or maybe sent post-treatment by post. This is not a form of marketing and the surveys do not try to sell you any further products or services; it is solely to gather information relating to your experience of Amethyst, for the purposes of improving the quality and safety of the services we offer to future patients. It is necessary for us to process your personal data in order to contact you with these surveys, on the basis of our appropriate business needs and to improve the quality of the healthcare services we offer. Participation in the surveys is entirely voluntary. You may also be given the opportunity to proactively opt into receiving a call back to further discuss your survey responses. These are all matters entirely for you.

2.1.7. Who do we share your information with?

From time to time, we may share your personal information with third parties that might include: –

  • University College London Hospitals NHS Foundation Trust / Sheffield Hallamshire Teaching Hospitals NHS Foundation Trust (data controller for NHS patient information) for whom we are a data processor
  • A doctor, nurse, carer or any other healthcare professional involved in your treatment
  • Other members of support staff involved in the delivery of your care, like receptionists and porters
  • Anyone that you ask us to communicate with or provide as an emergency contact, for example your next of kin or carer
  • NHS organisations,
  • Other private sector healthcare providers
  • Your GP
  • Your clinician (including their medical secretaries)
  • Third parties who assist in the administration of your healthcare, such as insurance companies
  • Private Healthcare Information Network
  • Our regulators, like the Care Quality Commission
  • The police and other third parties where reasonably necessary for the prevention or detection of crime
  • Our insurers
  • Selected third parties in connection with any sale, transfer or disposal of our business

We may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone.

2.1.7. Our use of your NHS data and the national data opt-out?

The national data opt-out was introduced on 25 May 2018 and enables patients to opt out from the use of their patient data for research or planning purposes. Patients can view or change their opt-out choice at any time, online at www.nhs.uk/your-nhs-data-matters
or by clicking on “Your Health” in the NHS App.

The national opt-out only applies in very specific situations, such as for research or planning. From providing our services to you, the national opt-out will not apply. However, should we be given access to your NHS records for our research or planning purposes will of course honour your opt-out, if set, and will not use your data.

2.2. Business Contacts
2.2.1. Collection of personal data

Amethyst processes personal data about contacts (e.g. existing clients, partners and individuals associated with them). The collection of personal data about contacts may include name, employer name, contact title, phone, email and other business contact details. In addition, Amethyst may collect data from Amethyst email (sender name, recipient name, date and time) and calendar (organiser name, participant name, date and time of event).

2.2.2. Use of personal data

Personal data relating to business contacts may be visible to and used by Amethyst users and may be used for the following purposes:

  • Administering, managing and developing our businesses and services
  • Providing information about us and our range of services*
  • Making contact information available to Amethyst users
  • Identifying clients/contacts with similar needs
  • Describing the nature of a contact’s relationship with Amethyst

*We undertake marketing and communications to promote awareness of the Gamma Knife Radiosurgery service and the referral and patients’ pathways to healthcare professionals which include updates, case studies, other relevant documentation and invitation to events.

Amethyst does not sell or otherwise release personal data to third parties for the purpose of allowing them to market their products and services without consent from individuals to do so.

Personal data will be retained for as long as it is necessary for the purposes set out above (e.g. for as long as we have, or need to keep a record of, a relationship with a business contact).

Legal grounds

Our having an appropriate business need to use your information which does not overly prejudice you

2.3. Visitors to the centre

We have security measures in place at our offices, including CCTV and building access controls. There are signs in our office showing that CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis (e.g. to look into an incident). CCTV recordings are typically automatically overwritten after a short period of time unless an issue is identified that requires investigation.

We require visitors to controlled areas to sign in and keep a record of visitors to meet IRMER and CTSA regulations. Our visitor records are securely stored and only accessible on a need to know basis.

Legal grounds

The use is necessary in order for us to comply with our legal obligations

2.4. Website user
2.4.1. Collection of personal information

The information which we collect and store during normal use of the site ( https://amethyst-radiotherapy.com/en/
 ) can be used to monitor and analyse how parts of the site are used. Such use does not result in any personally identifiable data being collected or stored. You have the option on certain pages within this site to submit personal information to Amethyst UK website in order that we might send you further information. These pages provide explanations as to how this information is to be used.

We will not disclose without your consent any personal information we collect about you when you visit the site to a third party, unless required by law.

If you have submitted personal information through this website and wish us to cease using it for the purposes submitted, please contact info@amethyst-radiotherapy.co.uk

Visitors to our websites are generally in control of the personal data shared with us. We may capture limited personal data automatically via the use of cookies on our website. You can find information about how we use cookies in our cookie policy (https://amethyst-radiotherapy.co.uk/cookie-policy/
)

We receive personal data, such as name, title, company address, email address, and telephone and fax numbers, from website visitors; for example when an individual subscribes to updates from us, or completes a form on the website.

Visitors are also able to send an email to us through the website. Their messages will contain the user’s screen name and email address, as well as any additional information the user may wish to include in the message.

We ask that you do not provide sensitive information (such as race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and, criminal records) to us when using our website; if you choose to provide sensitive information to us for any reason, the act of doing so constitutes your explicit consent for us to collect and use that information in the ways described in this privacy statement or as described at the point where you choose to disclose this information.

Legal grounds:

Our having an appropriate business need to use your information which does not overly prejudice you.

2.5. Staff

As your employer, the Company needs to keep and process information about you for normal employment purposes. The information we hold and process will be used for our management and administrative use only. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left.

This includes using information to enable us to comply with the employment contract, to comply with any legal requirements, pursue the legitimate interests of the Company and protect our legal position in the event of legal proceedings.

If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.

As a company providing specialist healthcare services, we may sometimes need to process your data to pursue our legitimate business interests, for example to undertake DBS checks. We will never process your data where these interests are overridden by your own interests.

Much of the information we hold will have been provided by you, but some may come from other internal sources, such as your manager, or in some cases, external sources, such as referees.

The sort of information we hold includes your CV and references, your contract of employment and any amendments to it; correspondence with or about you, for example letters to you about a pay rise or, at your request, a letter to your mortgage company confirming your salary; information needed for payroll, benefits and expenses purposes; contact and emergency contact details; records of holiday, sickness and other absence and records relating to your career history, such as training records, appraisals, other performance measures and, where appropriate, disciplinary and grievance records.

You will, of course, inevitably be referred to in many company documents and records that are produced by you and your colleagues in the course of carrying out your duties and the business of the company.

Where necessary, we may keep information relating to your health, which could include reasons for absence and GP reports and notes. This information will be used in order to comply with our health and safety obligations – to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We will also need this data to administer and manage statutory and company sick pay.

We may also process information about criminal convictions (e.g. DBS checks), if it is appropriate given the nature of your role and duties or where we are legal required to.

We do not process special categories of information relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, biometric data or sexual orientation. If this changes, we will always obtain your explicit consent to such processing unless this is not required by law or the information is required to protect your health in an emergency.

In addition, we may monitor computer and telephone use and keep records of your hours of work by timesheets.

Other than as mentioned below, we will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to our external payroll provider and pension schemes.

We may transfer information about you to other group companies for purposes connected with your employment or the management of the company’s business. It may be provided to selected third parties in connection with any sale, transfer or disposal of our business.

Your personal data will be stored for the duration of your employment and up to two years thereafter. If in the future we intend to process your personal data for a purpose other than that which it was collected we will provide you with information on that purpose and any other relevant information.

As noted above for patients we may record your telephone calls. It will be clear to you if your call is being recorded and it will only record whatever you (or the patient) say on the call.

If you object to this recording, you should discuss this with your line manager or a member of the HR team. The call recordings are used specifically to monitor the quality of calls and to help identify any training needs for our employees. The call recordings will be kept for up three months, unless they’re required for any ongoing discussions with yourself.

Legal grounds

Where we need to perform the employment contract, we have entered into with you, this may include for initial employment checks (e.g. your right to work in the UK), when paying you, providing benefits, conducting and managing reviews, etc.

The use is necessary in order for us to comply with our legal obligations.

Our having an appropriate business need (a legitimate interest) to use your information which does not overly prejudice you.

There are other rare occasions where we may use your personal data, which are:

Where we need to protect your interests (or someone else’s interests)

Where it is needed in the public interest or for official purposes.

2.6. Those with Practicing Privileges

The Company needs to keep and process information about you to ensure that we meet regulatory requirements, maintain and improve safety and quality of clinical care and that all who are intending to carry out procedures are fit and competent. This requires the processing of personal information for Disclosure and Barring Service checks and retention of inter alia training, appraisal, peer review, medical insurance documentation and contact details.

This data may be provided to regulators to provide evidence of compliance. We may transfer information about you to other group companies for purposes connected with compliance or the management of the company’s business. It may be provided to selected third parties in connection with any sale, transfer or disposal of our business.

Legal grounds

The use is necessary in order for us to comply with our legal obligations.

2.7. Sub-contractors and suppliers

We collect and process personal data about our suppliers (including subcontractors and individuals associated with our suppliers and subcontractors) in order to manage the relationship, contract, to receive services from our suppliers and, where relevant, to provide services to patients.

We use personal data for the following purposes:

  • Receiving services
  • Administering, managing and developing our businesses and services
  • managing our relationship with suppliers
  • developing our businesses and services
  • aecurity, quality and risk management activities

As with any provider of healthcare services, we are subject to legal, regulatory and professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.Legal grounds

The use is necessary in order for us to comply with our legal and contract obligations.

Our having an appropriate business need to use your information which does not overly prejudice you

2.8. Recruitment Applicants

Applicants for employment will be required to provide personal information including their employment history, education and contact details. The information we hold and process will be used for administrative use only in connection with the application and will not be provided to any third parties and retained for the duration of the application process, unless consent is explicitly provided for information to be retained beyond.

We would expect to collect the usual application information such as your name, address, contact details, CV and where applicable anything you supply as part of an application process. We may also need to carry out criminal record checks if relevant to your role, and as such we will process criminal offence data as part of the DBS check process.

Typically the data we process will be supplied by you, although we may receive information from other sources (e.g. if you provide references about previous employment).

Legal grounds

The use is necessary in order for us to comply with our legal and contract obligations.

Our having an appropriate business need to use your information which does not overly prejudice you

3. Your rights

Under data protection law you have certain rights in relation to the personal information that is held about you. These include rights to know what information we hold about you and how it is used.

If you are an NHS Patient you should contact UCLH / SHTT, the data controllers and their policies and procedures apply.

If you are not an NHS patient you may exercise these rights at any time by contacting us.

If we cannot comply with your request to exercise your rights we will usually tell you why.

There are some special rules about how these rights apply to health information as set out in legislation including the Data Protection Act and the General Data Protection Regulation.

3.1. The right to access your personal information

You are usually entitled to a copy of the personal information we hold about you and details about how we use it.

Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.

Please note that in some cases we may not be able to fully comply with your request, for example if your request involves the personal data of another person and it would not be fair to that person to provide it to you.

You are entitled to the following under data protection law.

Under Article 15(1) of the UK GDPR we must usually confirm whether we have personal information about you. If we do hold personal information about you we usually need to explain to you:

  • The purposes for which we use your personal information
  • The types of personal information we hold about you
  • Who your personal information has been or will be shared with, including in particular organisations based outside the UK.
  • If your personal information leaves the UK, how we make sure that it is protected
  • Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for
  • If the personal data we hold about you was not provided by you, details of the source of the information
  • Whether we make any decisions about you solely by computer and if so details of how those decision are made and the impact they may have on you
  • Your right to ask us to amend or delete your personal information
  • Your right to ask us to restrict how your personal information is used or to object to our use of your personal information
  • Your right to complain to the Information Commissioner’s Office
3.2. The right to rectification

We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.

3.3.The right to erasure

In some circumstances, you have the right to request that we delete the personal information we hold about you. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

3.4. The right to restriction of processing

In some circumstances, we must “pause” our use of your personal data if you ask us to. We do not have to comply with all requests to restrict our use of your personal information. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

3.5. The right to object to marketing

You can ask us to stop sending you marketing materials at any time and we must comply with your request. You can do this by contacting us at info@amethyst-radiotherapy.co.uk

3.6. The right to withdraw consent

In some cases we need your consent in order for our use of your personal information to comply with data protection legislation. Where we do this, you have the right to withdraw your consent to further use of your personal information. You can do this by contacting us at info@amethyst-radiotherapy.co.uk

3.7 The right to complain to the Information Commissioner’s Office

You can complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations.

More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/

Making a complaint will not affect any other legal rights or remedies that you have.

4. Third-party processors

We may use a number of third-party cloud-based services for the purposes of effectively running our business and providing our services to you. We may also use a number of third-party organisations, e.g. accountants, HR support, etc.

In all cases where we are using a third-party service or company, we will only provide the minimal amount of information for the purposes of delivering the service to us and to meet our requirements.

We always carry out due diligence against all our third-party suppliers for the purposes of ensuring their compliance with data protection, maintaining adequate security of your data and ensuring they apply adequate data protection principles to the processing of the data we supply. We also make sure a legally binding contract (sometimes called a Data Processing Agreement or DPA) is also in place to protect your data.

5. Complaints

If you feel this privacy notice does not go far enough in explaining how we have used your personal data, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to info@amethyst-radiotherapy.co.uk

If you want to make a complaint about the way we have processed your personal information, we’d rather you brought it to us in the first instance, but of course you can contact the Information Commissioner’s Office in their capacity as the statutory body that oversees data protection law in the UK – https://ico.org.uk/make-a-complaint/

6. More information

For more information about your data rights and privacy or data protection in general visit the Information Commissioner’s Office website: https://ico.org.uk

5. Changes to our privacy policy

We may change or update elements of this privacy notice from time to time or as required by law. The most current version of our privacy notice is available on our website at https://amethyst-radiotherapy.co.uk/privacy-policy/