Consultant Head and Neck, Thyroid Surgeon

SPIRE PATIENT PRIVACY NOTICE

Version 1 - 29 April, 2018

Executive summary
1. As custodian of personal information relating to your medical treatment, we must treat that information in accordance with all applicable law and guidance. This Privacy Notice provides you with a detailed overview of how we will manage your data, from the point at which it is gathered and onwards. We will use that information for a variety of purposes including, but not limited to, providing you with care and treatment, sharing it with other medical professionals and research/clinic audit programmes, and seeking feedback on your patient experience. We may also, with your specific agreement, contact you with marketing materials. This Privacy Notice will give you all the details you need on how we use your information, and how we will comply with the law in doing so.
2. In addition, you have a number of rights as a data subject. You can, for instance, seek access to your medical information, object to us using your information in particular ways and request rectification of any information which is inaccurate or deletion of information which is no longer required (subject to certain exceptions). This Privacy Notice also sets out your rights in respect of your personal information, and how to exercise them.
3. For ease of reference, this Privacy Notice is broken into separate sections below with headings which will help you to navigate through the document. We are also open to improvement, and if you have any feedback on this notice then do please feel free to contact our Data Protection Officer with your thoughts.
Introduction
1. This Privacy Notice sets out details of the information that Spire and the clinicians responsible for your treatment (including their medical secretaries) may collect from you and how that information may be used. Please take your time to read this Privacy Notice carefully.
About us
2. In this Privacy Notice we use "we" or "us" or "our" or "Spire" to refer to the Spire company who is
using your personal information, and the clinicians who provide your treatment.
3. We will advise you in our communications with you of the specific company within the Spire group of companies that is making decisions about the use of your personal information. Depending on your relationship with us, this may be:
a) Spire Healthcare Group plc, 3 Dorset Rise, London, EC4Y 8EN, Company No. 09084066
b) Spire Healthcare Limited, 3 Dorset Rise, London, EC4Y 8EN, Company No. 01522532
c) Montefiore House Limited, 3 Dorset Rise, London, EC4Y 8EN, Company No. 07414715
Our Data Protection Officer and how to contact us
4. Spire has appointed Jayne O’Hara as the Spire Group data protection officer ("DPO"). The DPO
helps ensure that the Spire group of companies comply with data protection law. Our DPO has responsibility for data protection compliance in respect of the companies set out above in section 3.
5. The DPO can be contacted by:
a) T elephone: 020 7427 9071
b) E-mail: dataprotectionofficer@spirehealthcare.com
c) Post: Data Protection Officer, Spire Healthcare, 3 Dorset Rise, London, EC4Y 8EN
6. If you would like further information about any of the matters in this Privacy Notice or have any other questions about how we collect, store or use your personal information, please contact the DPO using the details above.
Your personal data and clinicians
7. As a patient of Spire, your treatment may be provided by a clinician who is a medical practitioner. For ease of reference, we refer to them simply as 'clinicians' throughout this Privacy Notice Those clinicians make decisions about what information is collected about you, and may maintain their own set of medical records in relation to the treatment that they provide. They are a Data Controller in respect of your personal information which they hold within those records, meaning that they must comply with the data protection legislation and relevant guidance when handling your personal information. To the extent relevant to their practice, you can expect clinicians (including their medical secretaries) to handle your information in line with this Privacy Notice. This includes using your personal information as set out in more detail below.
8. Clinicians who work with Spire (including their medical secretaries) are expected to handle your personal data in accordance with the principles set out within this Privacy Notice. This means that whenever they use your personal data, they will only do so as set out in this Privacy Notice.
9. Clinicians who work with Spire (including their medical secretaries) may process your personal information at a non-Spire site (medical or non-medical).
10. If you want to find out more about the arrangements between Spire and clinicians for handling your information please let us know by contacting our DPO.
2

11. If you have any concerns about the way your clinician has handled your personal information please contact the DPO.
What personal information do we collect and use from patients?
12. The personal information that we collect will depend on your relationship with us. We will collect different information depending on whether or not you are already a patient of Spire.
13. We may use “special categories of personal information” (otherwise known as "special categories of data") about you, such as information relating to your physical and mental health. For example, if you are a patient we will need to use information about your health in order to treat you.
14. If you provide personal information to us about other individuals (including medical or financial information) you should inform the individual about the contents of this Privacy Notice. We will process such information in accordance with this Privacy Notice.
15. In addition, you should note that in the event you amend data which we already hold about you (for instance by amending a pre-populated form) then we will update our systems to reflect the amendments. Our systems will continue to store historical data.
Personal information
16. As a patient of Spire, the personal information we hold about you may include the following:
a) Name
b) Contact details, such as postal address, email address and telephone number (including
mobile number)
c) Financial information, such as credit card details used to pay us
d) Occupation
e) Emergency contact details, including next of kin
f) Background referral details
Special Categories Personal Information
17. As a patient of Spire, we will hold information relating to your medical treatment which is known as a special category of personal data under the law, meaning that it must be handled even more sensitively. The special categories of personal information we hold about you may include the following:
a) Details of your current or former physical or mental health. This may include information about any healthcare you have received (both from Spire directly and other healthcare providers such as GPs, dentists or hospitals (private and/or NHS)) or need, including about clinic and hospital visits and medicines administered. We provide further details below on the manner in which we handle such information.
3

b) Details of services you have received from us
c) Details of your nationality, race and/or ethnicity
d) Details of your religion
e) Details of any genetic data or biometric data relating to you
f) Data concerning your sex life and/or sexual orientation
18. The confidentiality of your medical information is important to Spire. We make every effort to
prevent unauthorised access to and use of information relating to your current or former physical
and mental health. In doing so, Spire complies with UK data protection law, including the Data
Protection Act 2018, and all applicable medical confidentiality guidelines issued by professional
bodies including, but not limited to, the General Medical Council and the Nursing and Midwifery
Council.
19. From 25 May 2018, the current Data Protection Act will be replaced by the EU General Data Protection Regulation (GDPR) and a new Data Protection Act. All uses of Spire information will comply with the GDPR and the new Data Protection Act from that date onwards
How do we collect your information?
20. We may collect personal information from a number of different sources including, but not limited to:
a) GPs
b) Dentists
c) Other hospitals, both NHS and private
d) Mental health providers
e) Commissioners of healthcare services
f) Clinicians (including their medical secretaries)
Directly from you
21. Information may be collected directly from you when:
a) You enter into a contract with Spire for the provision of healthcare services
b) You use those services
c) You complete enquiry forms on the Spire website
d) You submit a query to us including through our website, by email or by social media
e) you correspond with us by letter, email, telephone (all incoming and outgoing calls from/to
patients are recorded) or social media, including where you reference Spire in a public social
media post
f) You take part in our marketing activities
g) You use Spire GP
From other healthcare organisations
4

22. Our patients will usually receive healthcare from other organisations in addition to Spire, and so in
order to provide you with the best treatment possible we may have to collect personal information
about you from other organisations. These may include:
a) Medical records from your GP
b) Medical records from your clinician (including their medical secretaries)
c) Medical records from your dentist
d) Medical records from the NHS or any private healthcare organisation
23. Medical records include information about your diagnosis, clinic and hospital visits and medicines
administered.
From third parties
24. As detailed in the previous section, it is often necessary to seek information from other healthcare
organisations. We may also collect information about you from third parties when:
a) You are referred to us for the provision of services including healthcare services
b) We liaise with your current or former employer, health professional or other treatment or
benefit provider
c) We liaise with your family
d) We liaise with your insurance policy provider
e) We deal with experts (including medical experts) and other service providers about
services you have received or are receiving from us
f) We deal with NHS health service bodies about services you have received or are
receiving from us
g) We liaise with credit reference agencies
h) We liaise with debt collection agencies
i) We liaise with Government agencies, including the Ministry of Defence, the Home Office
and HMRC
How will we communicate with you?
25. In order to communicate with you, we are likely to do this by telephone, SMS, email, and / or post.
If we contact you using the telephone number(s) which you have provided (landline and/or
mobile), and you are not available which results in the call being directed to a voicemail and/or
answering service, we may leave a voice message on your voicemail and/or answering service as
appropriate.
26. However:
a) to ensure that we provide you with timely updates and reminders in relation to your
healthcare (including basic administration information and appointment information
(including reminders)), we may communicate with you by SMS and/or unencrypted email
5

(where you have provided us with your email address) in each case where you have
expressed a preference in the patient registration form to be contacted by SMS and / or
email.
b) to provide you with your medical information (including test results and other clinical
updates) and/or invoicing information, we may communicate with you by email (which will
be encrypted) where you have provided us with your email address and have expressed
a preference in the patient registration form to be contacted by email. The first time we
send you any important encrypted email e.g one that we are not also sending by post or
which requires action to be taken, we will endeavour to contact you separately to ensure
that you are able to access the encrypted email you are sent.
c) If we have your mobile number or your email address we may use this method of
communication to contact you regarding patient surveys which are for the purpose of
improving our service or monitoring outcomes and are not a form of marketing.
27. Please note that although providing your mobile number and email address and stating a
preference to be communicated by a particular method will be taken as an affirmative
confirmation that you are happy for us to contact you in that manner, we are not relying on your
consent to process your personal data in order to correspond with you about your treatment. As
set out further below, processing your personal data for those purposes is justified on the basis
that it is necessary to provide you with healthcare services
28. We are also developing a patient portal, called MySpire, which is currently planned for launch in
October 2018 (although this is yet to be confirmed). The portal is intended, in the first instance, to
allow patients to book appointments, with additional features to be developed over time. As we
develop MySpire and understand the specific detail on how it will work, we will update this Privacy
Notice before it goes live.
Surveys
29. As detailed above, we may contact you to ask you to participate in surveys regarding your
treatment with Spire. The surveys will largely be sent post-treatment by email or SMS. This is not
a form of marketing and the surveys do not try to sell you any further products or services; it is
solely to gather information relating to your experience of Spire, for the purposes of improving the
quality and safety of the services we offer to future patients. It is necessary for us to process your
personal data in order to contact you with these surveys, on the basis of our appropriate business
needs and to improve the quality of the healthcare services we offer (as set out under purpose 8
below). Participation in the surveys is entirely voluntary. You may decide not to complete the
surveys and you will have the option to unsubscribe from receiving further survey invitations. You
may also be given the opportunity to proactively opt into receiving a call back to further discuss
your survey responses. These are all matters entirely for you.
6

30. In addition, we may also contact you to invite you to participate in on-line surveys which aim to
monitor the outcomes of your treatment. Again these surveys are not a form of marketing. They
are called Patient Reported Outcome Measures (“PROMs”). For private patients the results are
shared with PHIN (see section 60) and for NHS patients the results are shared with NHS
England, An initial invitation asking you to participate may be sent to you before your treatment
takes place. This may be by post, SMS, email or in person when you attend the hospital for
treatment. If you choose to complete a PROMs survey you will also receive subsequent surveys
following your treatment to help establish the benefit you have gained from treatment.
What are the purposes for which your information is used?
31. We may 'process' your information for a number of different purposes, which is essentially the
language used by the law to mean using your data. Each time we use your data we must have a
legal justification to do so. The particular justification will depend on the purpose of the proposed
use of your data. When the information that we process is classed as “special category of
personal information”, we must have a specific additional legal justification in order to use it as
proposed.
32. Generally we will rely on the following legal justifications, or 'grounds':
a) Taking steps at your request so that you can enter into a contract with Spire and/or clinician to receive healthcare services from us.
b) For the purposes of providing you with healthcare pursuant to a contract between you and Spire and/or clinician. We will rely on this for activities such as supporting your medical treatment or care and other benefits, supporting your doctor, nurse, carer or other healthcare professional and providing other services to you.
c) We have an appropriate business need to process your personal information and such business need does not cause harm to you. We will rely on this for activities such as quality assurance, maintaining our business records, developing and improving our products and services and monitoring outcomes.
d) We have a legal or regulatory obligation to use such personal information.
e) We need to use such personal information to establish, exercise or defend our legal
rights.
f) You have provided your consent to our use of your personal information.
33. Note that failure to provide your information further to a contractual requirement with us or a clinician may mean that we are unable to set you up as a patient or facilitate the provision of your healthcare on Spire’s systems.
34. We provide further detail on these grounds in the sections below.
7

Appropriate business needs
35. One legal ground for processing personal data is where we do this in pursuit of legitimate interests and those interests are not overridden by your privacy rights. Where we refer to use for our appropriate business needs, we are relying on this legal ground.
36. Special categories of personal information includes information about your:
a) Health
b) Sex life
c) Sexual orientation
d) Ethnicity
e) Political opinions
f) Religious or philosophical beliefs
g) Genetic or biometric information
The right to object to other uses of your personal data
37. You have a range of rights in respect of your personal data, as set out in detail in sections 91 to 113. This includes the right to object to Spire using your personal information in a particular way (such as sharing that information with third parties), and we must stop using it in that way unless specific exceptions apply. This includes, for example, if it is necessary to defend a legal claim brought against us, or it is otherwise necessary for the purposes of your ongoing treatment.
You will find details of our legal grounds for each of our processing purposes below. We have set out individually those purposes for which we will use your personal information, and under each one we set out the legal justifications, or grounds, which allow us to do so. You will note that we have set out a legal ground, as well as an 'additional' legal ground for special categories of personal information. This is because we have to demonstrate additional legal grounds where we are using information which relates to a person's healthcare, as we will be the majority of the times we use your personal information.
Purpose 1: To set you up as a patient on Spire’s systems including carrying out fraud, credit, anti-money laundering and other regulatory checks
38. As is common with most business, we have to carry out necessary checks in order for you to become a patient. These include standard background checks, which we cannot perform without using your personal information.
39. Legal ground: Taking the necessary steps so that you can enter into a contract with us for the delivery of healthcare.
8

40. Additional legal ground for special categories of personal information: The use is necessary for reasons of substantial public interest.
Purpose 2: To provide you with healthcare and related services
41. Clearly, the reason you come to us is to provide you with healthcare, and so we have to use your personal information for that.
42. Legal grounds:
a) Providing you with healthcare and related services
b) Fulfilling our contract with you for the delivery of healthcare
43. Additional legal grounds for special categories of personal information:
44. We will use your personal information in order to ensure that your account and billing is fully accurate and up-to-date
45. Legal grounds:
c) Our having an appropriate business need to use your information which does not overly prejudice you
46. Additional legal grounds for special categories of personal information:
Purpose 4: For medical audit/research purposes
Clinical audit
47. Spire may process your personal data for the purposes of local clinical audit – i.e. an audit carried out by your direct care team for the purposes of assessing outcomes for patients and identifying improvements which could be made for the future. We are able to do so on the basis of a legitimate interest and the public interest in statistical and scientific research, and with appropriate
a) We need to use the data in order to provide healthcare services to you
b) The use is necessary to protect your vital interests where you are physically or legally
incapable of giving consent
Purpose 3: For account settlement purposes
a) Our providing you healthcare and other related services
b) Fulfilling our contract with you for the delivery of healthcare
a) We need to use the data in order to provide healthcare services to you
b) The use is necessary in order for us to establish, exercise or defend our legal rights
9

safeguards in place. You are, however, entitled to object to us using your personal data for this purpose, and as a result of which we would need to stop doing so. If you would like to raise such an objection then please contact our Data Protection Officer using the details provided in paragraph 5 above.
48. We may also be asked to share information with U.K. registries for which ethical approval is not necessarily required but which form part of the National Clinical Audit programme, hosted by NHS England and who provide a list of National Clinical Audit and Clinical Outcome Review programmes and other quality improvement programmes which we should prioritise for participation.
49. A full copy of the current list can be found at https://www.hqip.org.uk/list which comprises the national organisations with whom we regularly share data for the purposes of audit. We may also share your data with other audit programmes which are set up by professional associations.
50. We may do so without your consent provided that the particular audit registry has received statutory approval, or where the information will be provided in a purely anonymous form, otherwise your consent will be needed. In those circumstances, the relevant registry organisation may have consent processes of their own so any questions in that regard should be directed to the organisations themselves, otherwise we will obtain that consent from you.
Medical research
51. Spire also participates in medical research and shares data with ethically approved third party research organisations.
52. We will share your personal data only to the extent that it is necessary to do so in assisting research and as permitted by law. Some research projects and/or registries have received statutory approval such that consent may not be required in order to use your personal data. In those circumstances, your personal will be shared on the basis that:
Legal grounds:
Additional legal grounds for special categories of personal information:
53. In the event that consent is required then either the research organisations will obtain this from you themselves, and so any questions in that regard should be directed to them, or we will take
a) We have a legitimate interest in helping with medical research and have put appropriate
safeguards in place to protect your privacy
b) The processing is necessary in the public interest for statistical and scientific research
purposes
10

consent from you.
Purpose 5: Communicating with you and resolving any queries or complaints that you might
have.
54. From time to time, patients may raise queries, or even complaints, with Spire and we take those communications very seriously. It is important that we resolve such matters fully and properly, and so we will need to use your personal information in order to do so.
55. Legal grounds:
a) Our providing you with healthcare and other related services
b) Our having an appropriate business need to use your information which does not overly
prejudice you
56. Additional legal grounds for special categories of personal information:
a) The use is necessary for the provision of healthcare or treatment pursuant to a contract
with a health professional
b) The use is necessary in order for us to establish, exercise or defend our legal rights
Purpose 6:
Communicating with any other individual that you ask us to update about your care
and updating other healthcare professionals about your care.
57. In addition, other healthcare professionals or organisations may need to know about your treatment in order for them to provide you with safe and effective care, and so we may need to share your personal information with them. Further details on the third parties who may need access to your information is set out at section 76 below.
58. Legal grounds:
a) Our providing you with healthcare and other related services
b) We have a legitimate interest in ensuring that other healthcare professionals who are
routinely involved in your care have a full picture of your treatment
59. Additional legal ground for special categories of personal information:
60. We also participate in initiatives to monitor safety and quality, helping to ensure that patients are getting the best possible outcomes from their treatment and care. The Competition and Markets Authority Private Healthcare Market Investigation Order 2014 established the Private Healthcare
a) We need to use the data in order to provide healthcare services to you
b) The use is necessary for reasons of substantial public interest under UK law
c) The use is necessary in order for us to establish, exercise or defend our legal rights
11

Information Network (“PHIN”), as an organisation who will monitor outcomes of patients who receive private treatment. Under Article 21 of that Order, we are required to provide PHIN with information related to your treatment, including your NHS Number in England and Wales, CHI Number in Scotland or Health and Care Number in Northern Ireland), the nature of your procedure, whether there were any complications such as infection or the need for readmission/admission to a NHS facility and also the feedback you provided as part of any PROMs surveys. PHIN will use your information in order to share it with the NHS, and track whether you have received any follow-up treatment. We will only share this information with PHIN if you have provided your consent for us to do so.
61. The records that we share may contain personal and medical information about patients, including you. PHIN, like us, will apply the highest standards of confidentiality to personal information in accordance with data protection laws and the duty of confidentiality. Any information that is published by PHIN will always be in anonymised statistical form and will not be shared or analysed for any purpose other than those stated. Further information about how PHIN uses information, including its Privacy Notice, is available at www.phin.org.uk . We will be happy to print a copy for you if you prefer.
Purpose 7: Complying with our legal or regulatory obligations, and defending or exercising our legal rights
62. As a provider of healthcare, we are subject to a wide range of legal and regulatory responsibilities which is not possible to list fully here. We may be required by law or by regulators to provide personal information, and in which case we will have a legal responsibility to do so. From time to time, Spire and its clinicians are also the subject of legal actions or complaints. In order to fully investigate and respond to those actions, it is necessary to access your personal information (although only to the extent that it is necessary and relevant to the subject-matter).
63. Legal grounds:
a) The use is necessary in order for us to comply with our legal obligations
64. Additional legal ground for special categories of personal information:
65. As detailed at section 60, we participate in initiatives to ensure that patients are getting the best possible outcomes from their treatment and care. The records that we share may contain personal and medical information about patients, including you. With respect to PHIN we will only
a) We need to use the data in order for others to provide informed healthcare services to
you
b) The use is necessary for reasons of the provision of health or social care or treatment or
the management of health or social care systems
c) The use is necessary for establishing, exercising or defending legal claims
12

share information with them with your consent. PHIN, like us, will apply the highest standards of confidentiality to personal information in accordance with data protection laws and the duty of confidentiality. Any information that is published by PHIN will always be in anonymised statistical form and will not be shared or analysed for any purpose other than those stated. Further information about how PHIN uses information, including its Privacy Notice, is available at www.phin.org.uk. We will be happy to print a copy for you if you prefer.
66. We are also required by law to conduct audits of health records, including medical information, for quality assurance purposes. Your personal and medical information will be treated in accordance with guidance issued by the Care Quality Commission (England), Health Inspectorate Wales and Healthcare Improvement Scotland
Purpose 8: Providing improved quality, training and security (for example, with respect to recorded or monitored phone calls to our contact numbers) including conducting post treatment surveys
67. Spire is a quality-conscious organisation, and always looking to learn from patients’ experiences in order to improve the experience for future patients. With that in mind, we will use your personal information to identify where such improvements can be made, such as reviewing recorded phone calls to assess whether anything can be learnt and contacting you to seek your valuable thoughts on the Spire experience.
68. Legal grounds:
a) Our having an appropriate business need to use your information which does not overly
prejudice you
69. Additional legal ground for special categories of personal information:
a) We need to use the data in order to manage the healthcare services we deliver, including carrying out surveys (which are not a form of marketing) in order to identify and carry out any necessary improvements
Purpose 9: Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (e.g. tax or legal advice)
70. In order to do this, we will not need to use your special categories of personal information and so we have not identified the additional ground to use your information for this purpose.
71. Legal grounds:
a) Our having an appropriate business need to use your information which does not overly
prejudice you
13

Purpose 10: Provide marketing information to you (including information about other products and services offered by selected third-party partners) in accordance with preferences you have expressed in the Patient Registration Form
72. As a business, we need to carry out marketing but we are mindful of your rights and expectations in that regard. As a result, we will only provide you with marketing which is relevant to our business and only where you have specifically confirmed your consent to do so.
73. Legal grounds:
a) Our having an appropriate business need to use your information which does not overly
prejudice you
b) You have provided your consent
Who do we share your information with?
74. From time to time, we may share your personal information within our group or with third parties.
Disclosures within the Spire group of companies
75. We may share your personal information with other companies in the Spire group. This might be because we need to share information relating to your treatment within our group of companies.
Disclosures to third parties:
76. We may disclose your information to the third parties listed below for the purposes described in
this Privacy Notice. This might include:
a) A doctor, nurse, carer or any other healthcare professional involved in your treatment
b) Other members of support staff involved in the delivery of your care, like receptionists and
porters
c) Anyone that you ask us to communicate with or provide as an emergency contact, for
example your next of kin or carer
d) NHS organisations, including NHS Resolution, NHS England, Department of Health
e) Other private sector healthcare providers
f) Your GP
g) Your dentist
h) Your clinician (including their medical secretaries)
i) Third parties who assist in the administration of your healthcare, such as insurance
companies
j) Private Healthcare Information Network
14

k) National and other professional research/audit programmes and registries, as detailed under purpose 4 above
l) Government bodies, including the Ministry of Defence, the Home Office and HMRC
m) Our regulators, like the Care Quality Commission, Health Inspectorate Wales and Healthcare
Improvement Scotland
n) The police and other third parties where reasonably necessary for the prevention or detection
of crime
o) Our insurers
p) Debt collection agencies
q) Credit referencing agencies
r) Our third party services providers such as IT suppliers, actuaries, auditors, lawyers, marketing
agencies, document management providers and tax advisers
s) Selected third parties in connection with any sale, transfer or disposal of our business
77. We
email, post, fax and telephone.
may communicate with these third parties in a variety of ways including, but not limited to,
What marketing activities do we carry out?
78. We may also use your personal information to provide you with information about products or services which may be of interest to you where you have provided your consent for us to do so.
79. If you no longer wish to receive marketing emails sent by us, you can click on the "unsubscribe" link that appears in all of our emails, otherwise you can always contact us using the details set out in section 5 to update your contact preferences.
80. We may also provide your personal information to market research agencies for collecting your feedback which will be used to develop better products and services for you.
81. If you no longer wish to receive non-website based marketing information or for us to provide your information to market research agencies, please contact our DPO. The DPO's contact details can be found at section 5 above.
82. An automated decision is a decision made by computer without any human input, and there will be no automated decision-making in relation to your treatment or other decisions which will produce legal or similarly significant effects. We may, however, decide to carry out automated- profiling in respect of your personal information, which is automated processing to evaluate certain characteristics in order for us to provide more tailored marketing. We may then focus our marketing to you depending on the outcome of that profiling. This could include targeted ads through social media platforms such as Facebook, Twitter, Instagram and LinkedIn.
83. We have put in place appropriate measures to safeguard any information subject to profiling, particularly by ensuring that any information passed onto third party marketing agencies will be in an anonymous form so that you cannot be identified. You also have the right to object to auto-
15

profiling (or challenge the outcome), and can do so by contacting our DPO.
84. If you would like further information about this, please contact our DPO for further details (see
section 5 for contact details).
How long do we keep personal information for?
85. We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice (a summary of our Retention Policy can be found at []) and in order to comply with our legal and regulatory obligations.
86. If you would like further information regarding the periods for which your personal information will be stored, please contact our DPO for further details.
International data transfers
87. We (or third parties acting on our behalf) may store or process information that we collect about you in countries outside the European Economic Area ("EEA"). Where we make a transfer of your personal information outside of the EEA we will take the required steps to ensure that your personal information is protected.
a) To the extent that it is necessary to do so, Spire may transfer your personal data outside of the EEA to the United States to the following specific types of third party:
i. Suppliers of medical devices e.g. heart monitoring equipment
ii. Suppliers of bespoke prostheses e.g. 3D knee prosthesis suppliers
iii. Suppliers of genomic testing e.g. we send pathology samples to a lab in the US who genetically map tumours to determine the effectiveness of immunotherapy drugs
88. We will only do so to the extent that it is relevant and necessary. The United States and the EEA have in place a framework, known as Privacy Shield, to facilitate compliance with data protection obligations when transferring personal data. Privacy Shield has been assessed by the EU Commission, and deemed to provide adequate protection to personal data.
89. If you would like further information regarding the steps we take to safeguard your personal information, please contact the DPO using the details set out in section 5.
90. Please note that we have listed above the current common transfers of personal data outside of the EEA but it may be necessary, in future, to transfer such data for other purposes. In the event that it is necessary to do so, we will update this Privacy Notice.
16

Your rights
91. Under data protection law you have certain rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us using the details set out above at section 5 above.
92. There will not usually be a charge for handling a request to exercise your rights.
93. If we cannot comply with your request to exercise your rights we will usually tell you why.
94. There are some special rules about how these rights apply to health information as set out in
legislation including the Data Protection Act (current and future), the General Data Protection
Regulation as well as any secondary legislation which regulates the use of personal information.
95. If you make a large number of requests or it is clear that it is not reasonable for us to comply with
a request then we do not have to respond. Alternatively, we can charge for responding.
Your rights include:
The right to access your personal information
96. You are usually entitled to a copy of the personal information we hold about you and details about how we use it.
97. Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.
98. Please note that in some cases we may not be able to fully comply with your request, for example if your request involves the personal data of another person and it would not be fair to that person to provide it to you.
99. You are entitled to the following under data protection law.
i. The purposes for which we use your personal information
ii. The types of personal information we hold about you
iii. Who your personal information has been or will be shared with, including in particular
1. Under Article 15(1) of the GDPR we must usually confirm whether we have personal
information about you. If we do hold personal information about you we usually need to
explain to you:
17

organisations based outside the EEA.
iv. If your personal information leaves the EU, how we make sure that it is protected
v. Where possible, the length of time we expect to hold your personal information. If
vi. If the personal data we hold about you was not provided by you, details of the source
vii. Whether we make any decisions about you solely by computer and if so details of
viii. Your right to ask us to amend or delete your personal information
ix. Your right to ask us to restrict how your personal information is used or to object to
x. Your right to complain to the Information Commissioner's Office
2. We also need to provide you with a copy of your personal data
100. We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.
The right to erasure (also known as the right to be forgotten)
101. We may update this Privacy Notice from time to time to ensure that it remains accurate, and the most up-to-date version can always be found at []. In the event that there are any material changes to the manner in which your personal information is to be used then we will provide you with an updated copy of this Privacy Notice.
102. In some circumstances, you have the right to request that we delete the personal information we hold about you. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
The right to restriction of processing
103. In some circumstances, we must "pause" our use of your personal data if you ask us to. We do not have to comply with all requests to restrict our use of your personal information. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
that is not possible, the criteria we use to determine how long we hold your
information for
of the information
how those decision are made and the impact they may have on you
our use of your personal information
The right to rectification
18

The right to data portability
104. In some circumstances, we must transfer personal information that you have provided to us to you or (if this is technically feasible another individual/ organisation of your choice. The information must be transferred in an electronic format.
The right to object to marketing
The right not to be subject to automatic decisions (i.e. decisions that are made about you by computer alone)
106. You have a right to not be subject to automatic decisions (i.e. decisions that are made about
you by computer alone) that have a legal or other significant effect on you.
107. Please see section 82 for detail about when we may make automatic decisions about you.
108. If you have been subject to an automated decision and do not agree with the outcome, you
can challenge the decision. More about this is explained in section 83.
The right to withdraw consent
109. In some cases we need your consent in order for our use of your personal information to comply with data protection legislation.
110. We have explained in section 32 where we rely on your consent in this way. Where we do this, you have the right to withdraw your consent to further use of your personal information. You can do this by contacting Spire’s DPO whose details can be found in section 5.
The right to complain to the Information Commissioner's Office
105. You can ask us to stop sending you marketing messages at any time and we must comply
with your request. You can do this by contacting the DPO (see section 5 for details).
111. You can complain to the Information Commissioner's Office if you are unhappy with the way
that we have dealt with a request from you to exercise any of these rights, or if you think we have
not complied with our legal obligations.
112. More information can be found on the Information Commissioner’s Office website:
https://ico.org.uk/
113. Making a complaint will not affect any other legal rights or remedies that you have.
National Data Opt-Out Programme
114. NHS Digital is currently developing a national programme which will go live on 25 May 2018,
pursuant to which all patients will be able to log their preferences as to sharing of their personal
19

information. All health and care organisations will be required to uphold patient choices, but only
from March 2020. In the meantime you should make Spire aware directly of any uses of your
data to which you object.
Updates to this Privacy Notice
115. We may update this Privacy Notice from time to time to ensure that it remains accurate. In the event that these changes result in any material difference to the manner in which we process your personal data then we will provide you with an updated copy of the Policy.
116. This Privacy Notice was last updated on 6 April 2018.