Privacy Policy

The Manchester Vein Clinic as part of Diagnostic Healthcare Limited.

 Diagnostic Healthcare is committed to ensuring that your privacy is protected and any information given to us by which you can be identified will only be used by us in accordance with this privacy statement. To this end we comply fully with the data protection law in force in the UK (“Data Protection Laws”) and with all applicable clinical confidentiality guidelines.

 This Privacy Policy sets out the basis on which we collect and process personal data about you including our practices regarding the collection, use, storage and disclosure of personal data that we collect from you and/or hold about you, and your rights in relation to that data. 

Please read the following carefully to understand how we process your personal data.

 By providing your personal data to us or by using our services, website or other online or digital platform(s) you are accepting or consenting to the practices as described or referred to in this Privacy Policy.

 For the purpose of Data Protection Laws, the data controller is Diagnostic Healthcare Limited, The Royals, 353 Altrincham Road, Sharston, Manchester M22 4BJ.

 This privacy policy sets out how Diagnostic Healthcare uses and protects any information that you give the company.

 What data do we collect?

 Information that you give us when you enquire or become a customer or patient of us including name, address, contact details (including email address and phone number)

  • Where you have named someone as your next of kin/emergency contact and provided us with personal data about that individual, it is your responsibility to ensure that that individual is aware of and accepts the terms of this Privacy Policy.
  • the name and contact details (including phone number) of your next of kin
  • details of referrals, quotes and other contact and correspondence we may have had with you
  • details of services and/or treatment you have received from us or which have been received from a third party and referred on to us
  • information obtained from customer surveys, promotions and competitions that you have entered or taken part in
  • recordings of calls we receive or make
  • notes and reports about your health and any treatment and care you have received and/or need, including about clinic and hospital visits and medicines administered
  • patient feedback and treatment outcome information you provide
  • information about complaints and incidents
  • information you give us when you make a payment to us, such as financial or credit card information
  • other information received from other sources, including from your use of websites and other digital platforms we operate or the other services we provide, information from business partners, advertising networks, analytics providers, or information provided by other companies who have obtained your permission to share information about you.

 

Where you use any of our websites, we may automatically collect personal data about you including:

  • Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform,
  • information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page.

 The data that we request from you may include sensitive personal data. This includes information that relates to the mental or physical health or racial or ethnic origin (which may include children’s data).

 By providing us with sensitive personal data, you give us your explicit consent to process this sensitive personal data for the purposes set out in this Privacy Policy.

 When do we collect personal data about you?

 We may collect personal data about you if you:

  • visit one of our websites
  • enquire about any of our services or treatments
  • register or are referred to be a customer or patient with us or book to receive any of our services or treatments
  • fill in a form or survey for us
  • carry out a transaction on our website
  • participate in a competition or promotion or other marketing activity
  • contact us, for example by email, telephone or social media
  • participate in interactive features on any of our websites.
  • telephone us. In the interests of training and continually improving our services, calls to Diagnostic Healthcare and its agents may be monitored or recorded.

 What personal data we may receive from third parties and other sources?

 We may collect personal data about you from third parties such as:

  • If you are an employee of one of our corporate clients who has taken up one of our services, we may be passed your name, contact number and email address, in order to get in touch with you to arrange an appointment or collect further information from you;
  • We carry out work on behalf of the NHS and for the continuity of your care we may be passed medical information usually in the form of a referral for the purposes of your imaging or treatment with Diagnostic Healthcare;
  • Insurance providers will pass Diagnostic Healthcare personal data of patients who have commenced a claim and require medical imaging/treatment with Diagnostic Healthcare Health. This will normally be in the form of a referral and may consist of basic details e.g. full name, date of birth, address, contact number and email address and the type of procedure/treatment they require.

What do we do with the information we collect?

We require a minimum amount of data to understand your preventive health care needs and requirements to enable us to provide you with the best possible service. Data is kept for the following reasons:

 Your personal data will be kept confidential and secure and will, unless you agree otherwise, only be used for the purpose(s) for which it was collected and in accordance with this Privacy Policy, applicable Data Protection Laws, clinical records retention periods and clinical confidentiality guidelines.

 Sensitive personal data related to your health will only be disclosed to those involved with your treatment or care, or in accordance with UK laws and guidelines of professional bodies or for the purpose of clinical audits (unless you object).

 Further details on how we use health related personal data are given below. 

 We will only use your sensitive personal data for the purposes for which you have given us your explicit consent to use it.  Please note that, although we have set out the purposes for which we may use your personal data below, we will not use your sensitive personal data for those purposes unless you have given us your explicit consent to do so.

 We may use your personal data to:

  • ensure you are given the best clinical advice.
  • enable us to carry out our obligations to you arising from any contract entered into between you and us including relating to the provision by us of services or treatments to you and related matter such as, billing, accounting and audit, credit or other payment card verification and anti-fraud screening.
  • provide you with information, products or services that you request from us
  • internal record keeping.
  • provide you with information about products or services we offer that we feel may interest you. Unless you have consented to receive marketing communications by electronic means from us, by ticking the relevant box on the form on which we collect your data, we will only contact you by electronic means (e-mail or SMS) with information about products and services similar to those which you previously purchased or enquired about from us.
  • allow you to participate in interactive features of our services, when you choose to do so.
  • notify you about changes to our products or services.
  • respond to requests where we have a legal or regulatory obligation to do so.
  • support your doctor, nurse or other healthcare professional.
  • assess the quality and/or type of care you have received (including giving you the opportunity to complete customer satisfaction surveys) and any concerns or complaints you may raise, so that these can be properly investigated.
  • to conduct and analyse market research.
  • to ensure that content from any of our websites is presented in the most effective manner for you and for your computer.

 National Data Opt Out Regulation

The national data opt-out applies to the disclosure of confidential patient information for purposes beyond individual care across the health and adult social care system in England. The national data opt-out does not apply to information that is anonymised in line with the Information Commissioner’s Office (ICO) Code of Practice (CoP) on Anonymisation or is aggregate or count type data.

If you choose not to allow your confidential patient information to be used for purpose other than your immediate care and treatment this will be respected and applied in accordance with the regulations.

 Note that there are some circumstances where the national data opt-out does not apply, for example where there is a legal requirement for the data disclosure that specifically sets aside the common law duty of confidentiality or where public interest considerations override the opt-out.

Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard it. We conduct assessments to ensure the ongoing security of our information systems. 

Any personal data you provide will be held for as long as is necessary having regard to the purpose for which it was collected and in accordance with all applicable UK laws.

 Your data is not transferred outside the UK.

 At your request, we may occasionally transfer personal information to you via email, or you may choose to transfer information to us via email.  Email is not a secure method of information transmission; if you choose to send or receive such information via email, you do so at your own risk.

 How we use cookies

 A cookie is a small file which asks permission to be placed on your computers hard drive. If you agree the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual.

We use traffic log cookies to identify which pages of our site are being used to help us analyse data about web traffic and improve our website. The data is removed once it has been analysed.

 Marketing

 If you have consented to our processing your personal data for marketing purposes, in accordance with this Privacy Policy, we may send you information (via mail, email, phone or SMS) about our products and services which we consider may be of interest to you.

 You have the right to ask us not to process your information in this way at any time. If you no longer wish to receive web based marketing information you can unsubscribe by clicking the unsubscribe option or following instructions in the SMS message.

 Links to other websites

Our website may contain links to other sites of interest however once you have used these links to leave our site we cannot be responsible for the protection or privacy of information you provide whilst visiting these sites and such sites are not governed by this privacy policy.

 Controlling your personal information

 In the usual course of our business we may disclose your personal data (to the extent necessary) to certain third party organisations that we use to support the delivery of our services. This may include the following:

  • business partners, suppliers and sub-contractors for the performance of any contract we enter into with you,
  • organisations providing IT systems support and hosting in relation to the IT systems on which your information is stored,
  • third party debt collectors for the purposes of debt collection,
  • third party service providers for the purposes of storage of information and confidential destruction, third party marketing companies for the purpose of sending marketing emails, subject to obtaining appropriate consent.
  • Where a third party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under Data Protection Laws.

 We may also disclose your personal data to third parties in the event that we sell or buy any business or assets or where we are required by law to do so.

 Health information collected during provision of treatment or services

 Sensitive personal data (including information relating to your health) will only be disclosed to third parties in accordance with this Privacy Policy. That includes third parties involved with your treatment or care, or in accordance with UK laws and guidelines of appropriate professional bodies. Where applicable, it may be disclosed to any person or organisation who may be responsible for meeting your treatment expenses. It may also be provided to external service providers and regulatory bodies (unless you object) for the purpose of clinical audit to ensure the highest standards of care and record keeping are maintained.

Medical professionals working with us:  We share clinical information about you with our medical professionals as we think necessary for your treatment.  Medical professionals working with us might be our employees, or they might be independent consultants in private practice.  In the case of independent consultants, the consultant is the data controller of your personal data, either alone or jointly with us and will be required to maintain their own records in accordance with Data Protection Laws and applicable clinical confidential guidelines and retention periods.  Where that is the case, we may refer you to that consultant to exercise your rights over your data.  Our contracts with consultants require them to cooperate with those requests.  In all circumstances, those individual consultants will only process your personal data for the purposes set out in this Privacy Policy or as otherwise notified to you.

 External practitioners: If we refer you externally for treatment, we will share with the person or organisation that we refer you to, the clinical and administrative information we consider necessary for that referral.  It will always be clear when we do this.

 Your insurer:  We share with your medical insurer information about your treatment, its clinical necessity and its cost, only if they are paying for all or part of your treatment with us.  We provide only the information to which they are entitled. If you raise a complaint or a claim we may be required to share personal data with your medical insurer for the purposes of investigating any complaint/claim.  

 The NHS:  If you are referred to us for treatment by the NHS, we will share the details of your treatment with the part of the NHS that referred you to us, as necessary to perform, process and report back on that treatment.

 Medical regulators:  We may be requested – and in some cases can be required - to share certain information (including personal data and sensitive personal data) about you and your care with medical regulators such as the General Medical Council or the Nursing and Midwifery Council, for example if you make a complaint, or the conduct of a medical professional involved in your treatment is alleged to have fallen below the appropriate standards and the regulator wishes to investigate.  We will ensure that we do so within the framework of the law and with due respect for your privacy. 

 From time to time we may also make information available on the basis of necessity for the provision of healthcare, but subject always to patient confidentiality. 

In an emergency and if you are incapacitated, we may also process your personal data (including sensitive personal data) or make personal data available to third parties on the basis of protecting your ‘vital interest’ (i.e. your life or your health).

 We will use your personal data in order to monitor the outcome of your treatment by us and any treatment associated with your care, including any NHS treatment.

 We participate in national audits and initiatives to help ensure that patients are getting the best possible outcomes from their treatment and care.  The highest standards of confidentiality will be applied to your personal data in accordance with Data Protection Laws and confidentiality. Any publishing of this data will be in anonymised, statistical form. Anonymous or aggregated data may be used by us, or disclosed to others, for research or statistical purposes

 Accessing and updating your information

 The law gives you certain rights in respect of the personal data that we hold about you.  In addition to your right to stop marketing below is a short overview of the most commonly-used rights.  It is not an exhaustive statement of the law.

  • With some exceptions designed to protect the rights of others you have the right to a copy of the personal data that we hold about you
  • You have the right to have the personal data we hold about you corrected if it is factually inaccurate. It is important to understand that this right does not extend to matters of opinion, such as medical diagnoses.
  • If you want to exercise your rights in respect of your personal data, the best way to do so is to contact us by email at info@dhc.uk.com, or to write to us for the attention of the data protection officer at the address below.  In order to protect your privacy, we may ask you to prove your identity before we take any steps in response to such a request.
  • Data Protection Officer, Diagnostic Healthcare, The Royals, 353 Altrincham Road, Sharston, Manchester M22 4BJ
  • If you are not satisfied with how we handle your request, you can contact the Information Commissioner’s Office on 0303 123 1113 or visit their website (http://www.ico.org.uk).

GDPR

Introduction

The European Union's GDPR (General Data Protection Regulation) come into force in the UK on 25th May 2018. The GDPR replaces the Data Protection Act 1998 and introduce stricter data protection obligations that all employers must follow. 

 Information covered by the GDPR

 Personal data

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person (Data Subject) who can be directly or indirectly identified in particular by reference to an identifier.

 This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

 The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

 Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

 Sensitive personal data

The GDPR refers to sensitive personal data as “special categories of personal data”.

The special categories specifically include genetic data and biometric data where processed to uniquely identify an individual.

 Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing

  Organisational Responsibilities

The regulations require personal data to be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals
  2. Collected for specified, explicit and legitimate purposes and not further processes in a manner that is incompatible with those purposes
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
  4. Accurate, and where necessary kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which its processed, is erased or rectified without delay
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  6. Processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

The Data Controller shall be responsible for, and be able to demonstrate, compliance with the principles.

Data Controller

DHC’s Data Controller is Liat Karni.

.Individual Rights

The GDPR provides the following rights for individuals:

  1. Right to be informed
  2. Right of Access (also known as a Subject Access Request
  3. Right to Rectification
  4. Right to Erasure
  5. Right to Restrict Processing
  6. Right to Data Portability
  7. Right to Object
  8. Rights in Relation to Automatic Decision Making and Profiling

 Managing Data Subject Requests

 Confirming Identity

 Adequate steps must be taken to identify the requestor before commencing the work to comply with the request. Where there is any doubt, proof of identity will be required. Examples of suitable documentation could include copies of:

  • Valid Passport.
  • Driving Licence.
  • Birth Certificate along with some other proof of address, e.g. a named utility bill or a Medical Card.
  1. Collation of information

 We will check that we have enough information to find the records you requested. If we feel we need more information, then we will promptly ask you for this.

 We will gather any manual or electronically held information and identify any information provided by a third party or which identifies a third party. This includes records created before 24 October 1998.

 If we have identified information that relates to third parties, we will write to them asking whether there is any reason why this information should not be disclosed.

 We do not have to supply the information to you unless the other party has provided their consent or it is reasonable to do so without their consent. If the third party objects to the information being disclosed we may seek legal advice on what action we should take.

 Before sharing any information that relates to third parties, we will where possible anonymise information that identifies third parties not already known to the individual and edit information that might affect another party’s privacy. We may also summarise information rather than provide a copy of the whole document.

The DPA requires us to provide information not documents.

 Issuing our response

 Once any queries around the information requested have been resolved, copies of the information in a permanent form will be sent to you.

 We will explain any complex terms or abbreviations contained within the information when it is shared with you. 

  1. Third party disclosure

 Where records contain information that relates to an identifiable third party, that

information may not be released unless:

  • The third party is a health professional who has compiled or contributed to a health record, or who has been involved in the care of the individual.
  • The third party, who is not a health professional, gives their written consent to the disclosure of that information.
  • It is reasonable to dispense with the third party’s consent (taking into account the duty of confidentiality owed to the other individual, any steps taken to seek his/her consent, whether he/she is capable of giving consent and whether consent has been expressly refused).

  Cost of information provision

 Under the GDPR regulations no charge can be made.

 However the regulations do provide that organisations can charge a ‘reasonable fee’ in circumstances where a request is deemed manifestly unfounded or excessive, particularly if it is repetitive. A reasonable fee may also be charged to comply with requests for further copies of the same information. The fee must be based on the administrative cost of providing the information.

 Dealing with each Request Type

 Right to be Informed

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

 Individuals must be provided with information (privacy information) including:

    • purposes for processing their personal data
    • retention periods for that personal data
    • who it will be shared with.

 Privacy information must be provided to individuals at the time their personal is collected from them.

 If personal data is obtained from other sources privacy information must be provided within a reasonable period of obtaining the data and no later than one month.

 Where requests are manifestly unfounded or excessive, in particular because they are repetitive:

  • a reasonable fee can be charged taking into account the administrative costs of providing the information, or
  • the request can be refused. In this case an explanation must be provided which includes their right to complain to the supervisory authority and to judicial remedy

 The privacy notice supplied to individuals in regards to the processing of their personal data will be written in clear, plain language which is concise, transparent, easily accessible and free of charge.

 If services are offered directly to a child, Diagnostic Healthcare will ensure that the privacy notice is written in a clear, plain manner that the child will understand.

 In relation to data obtained both directly from the data subject and not obtained directly from the data subject, the following information will be supplied within the privacy notice: 

  • The identity and contact details of the controller, and where applicable, the controller’s representative and the DPO.
  • The purpose of, and the legal basis for, processing the data.
  • The legitimate interests of the controller or third party.
  • Any recipient or categories of recipients of the personal data.
  • Details of transfers to third countries and the safeguards in place.
  • The retention period of criteria used to determine the retention period.
  • The existence of the data subject’s rights, including the right to:
    • Withdraw consent at any time.
    • Lodge a complaint with a supervisory authority.
  • The existence of automated decision making, including profiling, how decisions are made, the significance of the process and the consequences.

 Where data is obtained directly from the data subject, information regarding whether the provision of personal data is part of a statutory or contractual requirement and the details of the categories of personal data, as well as any possible consequences of failing to provide the personal data, will be provided.

 Where data is not obtained directly from the data subject, information regarding the source the personal data originates from and whether it came from publicly accessible sources, will be provided.

 For data obtained directly from the data subject, this information will be supplied at the time the data is obtained.

 In relation to data that is not obtained directly from the data subject, this information will be supplied:

  • Within one month of having obtained the data.
  • If disclosure to another recipient is envisaged, at the latest, before the data are disclosed.
  • If the data are used to communicate with the individual, at the latest, when the first communication takes place.
 Right of Access - Requests for Access to Personal Data – Subject Access Requests (SARs)Data Subjects have the right to obtain:
  • Confirmation that their data is being processed
  • Access to their personal data and
  • Other supplementary information

 The right of access allows individuals to be aware of and verify the lawfulness of the processing.

Right of Access Requests must be responded to within one month.

 A Subject Access Request (SAR) is any request made by an individual or an individual’s representative (see Rights of Access section) for information held by Diagnostic Healthcare about that individual.

 A Subject Access Request must be made in writing. The requestor does not need to mention the legislation under which the request is being made or state that they are making a SAR for their request to be valid. They may even refer to other legislation, for example, the Freedom of Information Act 1998, but their request should still be treated according to this policy.

 Subject access provides a right for the subject to see/view their own personal data as well as to request copies of these. An individual does not have the right to access information recorded about someone else, unless they are an authorised representative, or have parental responsibility.

 They also have the right to an explanation of any terms they may not understand (such as technical language or terminology) and the right to ask that any inaccurate information is corrected, and to request a copy of those corrections.

 If the person requesting the information is a relative/representative of the individual concerned, then the relative/representative is entitled to personal data about themselves but must supply the individual’s consent for the release of their personal data.

 If the person requesting the information has been appointed to act for someone under the Mental Capacity Act 2005, that person must confirm their capacity to act their behalf and explain how they are entitled to access their information.

 If the person requesting the information is the parent/guardian of a child under 16, Diagnostic Healthcare will need to consider whether the child can provide their consent to the person acting on their behalf.

 Exemptions

Requests for access by other organisations

Various external organisations and agencies may request information held about an individual. In almost all cases, information must not be shared unless consent from the individual has been provided.

Examples of requests from other agencies are listed below.

 Solicitor

Solicitors may apply to see information held about their client, but informed, explicit and signed consent must first have been obtained from the individual before a copy of the information is released. The solicitor should be given access only to the information and explanation that would otherwise have been made available to the individual.

Court Order

A Court may order disclosure information. Unlike a request from a solicitor, a Court Order should be obeyed unless there is a robust justification to challenge it.

 The Court’s decision is law. Courts and Coroners are entitled to request original records. If they do, copies of the records must be retained by DHC.

 Coroners normally give sufficient notice for copies to be made, but have the power to seize records at short notice, which may leave little or no time to take copies.

 All Court Orders or documents appertaining to or alluding to be a Court Order should be forwarded immediately to the Compliance Manager.

 Department of Work and Pensions

Personal data may be disclosed to assist in the assessment or collection of any tax or duty.

 Any request by the Department of Work and Pensions for access to any information held about an individual must be accompanied by the relevant form.

 Police

Personal data may be disclosed to assist in the prevention or detection of crime and the apprehension of prosecution of offenders. The individual should be asked (if possible) for their informed, explicit and signed consent to disclose the information, unless this would prejudice the enquiry or court case. Any request by the Police for access to information held about an individual must be accompanied by the relevant consent form and/or a letter detailing the information required from the Chief Superintendent of the requesting police force. The Crime and Disorder Act 1998 also allows (but does not require) disclosure information to the police, local authority, probation service, or health authority for the purposes of preventing crime and disorder.

 For DHC to consider releasing any information without consent, the access request must relate to a serious crime in line with the Crime and Disorder Act 1998 (for example, murder or rape), otherwise the Police should be asked to obtain a Court Order or written approved signed consent (see above regarding Court Orders). All such requests from the Police should be in writing and forwarded immediately to the CEO.

 Research Organisations

Although research is considered an important factor in improving healthcare, the Information Commissioner does not consider it an essential element in the provision of healthcare. If personal identifiable or pseudonymised information is required, informed, explicit and signed consent must be obtained.

 Patients are generally aware and supportive of research, but it is not reasonable to assume that they are aware of, or likely to consent to, each and every research subject or proposal.

 If it is sufficient for the purposes of the research to use anonymised data, consent is not required, but patients should be informed by posters and/or leaflets how their information may be shared.

 Parental Responsibility

Parents, or those with parental responsibility, will generally have the right to apply for access to information held about a child, although disclosure may be refused if the child is deemed competent as “Gillick competent” and refuses to give consent.

 Legally, young people aged 16 and 17 are regarded to be adults for the purposes of consent to treatment and the right to confidentiality. As such, if a person of this age wishes any information about them to be treated as confidential this wish should be respected and they have the right to deny parental access to information held about them.

 Individuals living abroad

A request for access to information held about an individual made from outside the UK will be treated in the same way as a request made from within the UK. People living outside of the UK have the same rights of access to information an organisation holds about them as UK residents do.

 Information relating to the deceased

Applications for access to health records of the deceased are made under the Access to Health Records Act 1990. Records made after 1st November 1991 can be made available to a patient representative, executor or administrator. Any person with a claim arising from the death of a patient has a right of access to information specifically relating to the claim.

 Right to Rectification

Individuals are entitled to have any inaccurate or incomplete personal data rectified.

 Where the personal data in question has been disclosed to third parties, Diagnostic Healthcare will inform them of the rectification where possible.

 Where appropriate, Diagnostic Healthcare will inform the individual about the third parties to whom the data has been disclosed.

 Requests for rectification will be responded to within one month; this will be extended by two months where the request for rectification is complex.

 Where no action is being taken in response to a request for rectification, Diagnostic Healthcare will explain the reason for this to the individual, and will inform them of their right to complain to the supervisory authority and to a judicial remedy.

 Right of Erasure

This Right is also known as the ‘Right to be Forgotten’.

 It enables Data Subjects to request the deletion or removal of personal data where there is no compelling reason for its continued processing by the Data Controller.

The Right to Erasure applies in the following circumstances:

  • The personal data is no longer necessary in relation to the purpose for which it was originally collected
  • The processing was based on consent, and the Data Subject has now withdrawn their consent
  • The Data Subject objects to processing and there is no overriding legitimate interest of the Data Controller
  • The data was being unlawfully processed
  • The data must be erased to comply with a legal obligation

 Under GDPR this right must be dealt with without undue delay

 Non-applicability

There are some specific circumstances where the right to erasure does not apply and requests can be refused.

 A request can be refused where the personal data is processed for the following reasons:
  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
  • for public health purposes in the public interest;
  • archiving purposes in the public interest, scientific research historical research or statistical purposes; or
  • the exercise or defence of legal claims. 

 As a child may not fully understand the risks involved in the processing of data when consent is obtained, special attention will be given to existing situations where a child has given consent to processing and they later request erasure of the data, regardless of age at the time of the request. 

Where personal data has been disclosed to third parties, they will be informed about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.

Where personal data has been made public within an online environment, the trust will inform other organisations who process the personal data to erase links to and copies of the personal data in question.

The Right to Restrict Processing

Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted personal data can be stored but not processed.

 Restricted information about the individual may be retained to ensure that the restriction is respected in the future.

 Diagnostic Healthcare will restrict the processing of personal data in the following circumstances:

 When a Data Subject contests the accuracy of their personal data, then processing should be restricted to storage only until accuracy is verified

  • When a Data Subject objects to processing which is being carried out for the reason of performance of a task in the public interest, or for the legitimate interests of the Data Controller, then the Data Controller must restrict processing to storage only whilst they consider whether their legitimate grounds override the Rights and freedoms of the individual.
  • When processing is unlawful and a Data Subject opposes erasure and requests restriction to storage instead.
  • When the Data Controller no longer needs the personal data but the Data Subject requires it for the purpose of a legal claim.

  If the personal data in question has been disclosed to third parties, Diagnostic Healthcare will inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.

 Diagnostic Healthcare will inform individuals when a restriction on processing has been lifted.

 The Right to Data Portability

 This Right allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows the individual to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way in a common data format, for example, Excel or CSV file.

 The Right to Data Portability applies in the following circumstances:

  • When the personal data was provided to the controller directly by the Data Subject
  • Where the processing is based on consent or performance of a contract
  • When processing is carried out by automated means

 Personal data will be provided in a structured, commonly used and machine-readable form.

 Where feasible, data will be transmitted directly to another organisation at the request of the individual.

 Diagnostic Healthcare is not required to adopt or maintain processing systems which are technically compatible with other organisations.

 In the event that the personal data concerns more than one individual, Diagnostic Healthcare will consider whether providing the information would prejudice the rights of any other individual.

 Diagnostic Healthcare will respond to any requests for portability within one month.

 Where the request is complex, or a number of requests have been received, the timeframe can be extended by two months, ensuring that the individual is informed of the extension and the reasoning behind it within one month of the receipt of the request.

 Where no action is being taken in response to a request, Diagnostic Healthcare will, without delay and at the latest within one month, explain to the individual the reason for this and will inform them of their right to complain to the supervisory authority and to a judicial remedy.

 7. The Right to Object

 Individuals have the right to object to:

  • Processing based on legitimate interest or performance of a task in the public interest/exercise of official authority (including profiling)
  • Direct marketing (including profiling)
  • Processing for the purposes of scientific/historical research and statistics

 Diagnostic Healthcare will inform individuals of their right to object at the first point of communication, and this information will be outlined in the privacy notice and explicitly brought to the attention of the data subject, ensuring that it is presented clearly and separately from any other information.

 Where personal data is processed for the performance of a legal task or legitimate interests:

  • An individual’s grounds for objecting must relate to his or her particular situation.
  • Diagnostic Healthcare stop processing the individual’s personal data unless the processing is for the establishment, exercise or defence of legal claims, or, where the trust can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual.

 Where personal data is processed for direct marketing purposes:

  • Diagnostic Healthcare will stop processing personal data for direct marketing purposes as soon as an objection is received.
  • Diagnostic Healthcare cannot refuse an individual’s objection regarding data that is being processed for direct marketing purposes.

 Where personal data is processed for research purposes:

  • The individual must have grounds relating to their particular situation in order to exercise their right to object.
  • Where the processing of personal data is necessary for the performance of a public interest task, the trust is not required to comply with an objection to the processing of the data.

 Where the processing activity is outlined above, but is carried out online, the trust will offer a method for individuals to object online.

 Rights in Relation to Automatic Decision Making and Profiling

This right provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.

 The Right not to be subject to a decision applies when:

  • It is based on automated processing
  • It produces legal/significant effects on the individual

 It does not apply if the decision:

  • Is necessary for entering into or performance of a contract
  • Is authorised by law
  • Is based on explicit consent
  • Does not have a legal/significant effect on the data subject