Privacy Notice for Patients and Health Assessment Clients

This Privacy Notice sets out important details about information that BMI Healthcare and doctors responsible for your care, treatment and health assessments may collect and hold about you, how that information may be used and your legal rights. Please take time to read this Privacy Notice carefully and contact us if you have any questions about its content.

We will review this Privacy Notice on a periodic basis and we advise you to check back on our website for the latest version.

Who has information about me?

Our hospitals are run by BMI Healthcare Limited.  Some of our hospitals (BMI Southend Private Hospital, BMI Three Shires Hospital and BMI Syon Clinic) and some of the services in some of our hospitals (the oncology service at BMI Beardwood Hospital and the imaging services at BMI Mount Alvernia Hospital and BMI Three Shires Hospital) are owned by partner companies, each of which has a management contract with BMI Healthcare and forms part of the BMI Healthcare group.  A partner company also owns the CT and MRI scanners at BMI The Meriden Hospital; this service is managed by UME.

All these companies are registered at BMI Healthcare, 1st Floor, 30 Cannon Street, London EC4M 6XH and their full names and registered company numbers are as follows:

  • BMI Healthcare Limited – 02164270
  • Three Shires Hospital LLP – OC398963
  • BMI Southend Private Hospital Limited – 05155289
  • BMI Syon Clinic Limited – 05706302
  • North West Cancer Clinic Limited (05706220) - BMI Beardwood Hospital oncology service
  • BMI Imaging Clinic Limited (05706274) - imaging service at BMI Mount Alvernia Hospital
  • The Pavilion Clinic Limited (06061941) – imaging service at BMI Three Shires Hospital
  • Meriden Hospital Advanced Imaging Centre Limited (05607465) – MRI and CT service at BMI The Meriden Hospital

Each of these companies may, to the extent relevant, collect, retain and use information about you and we refer to these collectively as 'BMI Healthcare' in this document.

External websites

We may from time to time include on our websites links to and from the websites of other organisations.  If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.  Please check these policies and notices before you submit any personal data to these websites.

Where did you get this information from and what information does BMI Healthcare hold about me?

We have information about you which you and others involved in your care and treatment (or their secretaries) or who are paying for your care and treatment have supplied to us.  This is likely to include your name and contact details (postal and email addresses and phone numbers) as well as emergency contact details, including your next of kin.  For our health assessment clients who come to us through their employer's health assessment benefit scheme, we have information about you which your employer has supplied to us.  This is likely to include your name and contact details (postal and email addresses and phone numbers).

We may also hold more sensitive information about you, such as your current or previous physical or mental health, your sex life and/or sexual orientation, your religion, nationality, race and/or ethnicity and genetic or biometric data relating to you.  This may also include details of healthcare services provided previously by BMI Healthcare and others such as GPs, dentists, or previous hospital visits and details of any medications you have been prescribed or taken.  We refer to this as 'more sensitive information' in this Privacy Notice.

We may collect information from you when you visit our websites or enquire about our products or services.  We may hold information about you contained in enquiry or booking forms, including through our 'make an enquiry' or 'Live Support' sections of our websites.  In addition we may hold information about you that you provide in surveys or in feedback or from transactions you carry out on our websites or online payments you make.

If you call our helpline or contact our live support via our website, these telephone calls or live chats may be recorded and retained for a limited period for training and monitoring purposes and to help improve our services.

Sometimes we obtain information about you from credit reference agencies, debt collection agencies and government agencies such as HMRC or the Home Office.

In order for us to provide your health assessment, care and/or treatment, we ask that you provide as much information to us as you can.  You are of course free not to disclose information to us and you should only provide such information as you feel comfortable doing so.  Please bear in mind, however, that if you are only willing to share limited information, we may not be able to provide you with a full health assessment or the full range of care and treatment (as applicable), and that could mean being unable to see you at the hospital (since we may not be able to share your information in the way required in order to provide your health assessment, care or treatment, or run our business (for example, billing) and comply with our legal obligations).

How will BMI Healthcare use the information it holds about me?

We use information about you in connection with your health assessment, treatment and/or care, including tests or assessments and medical examinations.  We will use this also in connection with payment of fees, including billing, invoicing and settlement of your account with us. 

We may use your phone number (or email address where you have provided it to us) to contact you in advance of and after your admission or appointment for reasons connected with your health assessment, care or treatment.  Where you have provided us with your mobile number or email address, we may send you confirmations/reminders of your appointments via text message or email and we may respond to your email enquiries via email.

We may also use information about you for quality assurance, maintaining our business records, developing and improving our products and services and monitoring outcomes where we believe there is a business need to do so and our use of information about you does not cause harm to you.  This may include our workforce planning and workload management systems to help support our staff and clinicians to develop and plan the most appropriate levels of care to our patients and to ensure we have got the right levels of productivity and efficiency and good outcomes for patients. 

We may also use information about you where there is a legal or regulatory obligation on us to do so (such as the prevention of fraud) or in connection with legal proceedings. 

We may also use information about you where you have provided your consent to us doing so.

We do not carry out automated decision making or profiling.

Please see also the more detailed information in the section below.

Will BMI Healthcare share information about me with others?

Yes; we set out these reasons below and assure you that in each case, we share only such information as is appropriate.   

Sharing information with those involved in your health assessment, care or treatment (or with those who are paying for your care or treatment)

We will share your medical information with those involved in your health assessment, care or treatment (such as doctors, nurses and physiotherapists) for medical purposes (including the provision of health assessments).  Some of our nursing staff and the resident doctors in our hospitals are provided by specialist staffing agencies.  Consultants (such as surgeons, anaesthetists and radiologists) and some of their medical secretaries are also not employed by us.  We try to ensure there is a single patient record for each patient who is seen at one of our hospitals, whether as an inpatient, outpatient or day case and we ask consultants working at our hospitals to ensure a copy of their records, including consultation records, is included in each patient's records at the hospital.  In addition to this, your surgeon may also create his or her own records about you and should therefore also make available to you their own privacy notice.   

The doctors, nurses and other specialists carrying out health assessments are not employed by us and deliver these health assessments to our health assessment clients under a contract with BMI Healthcare, which includes strict confidentiality requirements.

We will also share information about you with other members of staff involved in the delivery of your care (such as our housekeeping teams, medical secretaries, receptionists, and porters).   

Some of those involved with your health assessment, treatment or care are external companies providing services such as blood tests and blood for transfusions, analysis of tissue samples, such as biopsies, and catering.  We work with some specialist companies that are based outside of the European Economic Area; including for specialist medical devices, bespoke prostheses and certain genomic testing.  Local NHS hospitals provide some of our hospitals with support services (such as blood tests and housekeeping) and we may share information about you with these hospitals where required in connection with your care.

We may also share relevant parts of your medical information with your GP, dentist, NHS hospitals, other private hospitals and the organisation paying for your treatment (for example your insurance company, embassy, employer or NHS commissioner).   For our health assessment clients who come to us through their employer's health assessment benefit scheme, please be assured that we will not share your medical information with your employer. 

If we are concerned that you may be vulnerable or 'at risk', we may share information about you with the local Safeguarding Team, the specialist members of which come from the local authority, NHS organisations and the police.

We may share information about you with anyone you have asked us to communicate with or whose details you have provided as an emergency contact (such as your next of kin).

Sharing information with third parties who are not involved in your health assessment, care or treatment

We may share information about you with external organisations such as our lawyers, auditors, financial, tax and public relations advisors and NHS organisations.  We may also share information about you with third party suppliers, which provide us with a secure credit/debit card storage system, document scanning and off-site storage facilities, electronic patient and clinical staff administration and records systems and radiology imaging archiving and reporting systems.  We may also share information about you with those providing us with information technology systems, this includes an incident management and recording system and a system for electronic prescribing as well as other clinical and non-clinical software applications (and related services) and website hosting.  In each case, we would share only such information as was relevant. 

Sharing your information with credit checking and debt collection agencies*

If your bill is not paid on time, we may share information (such as copy invoices) with debt collection agencies.  If you apply for the BMICard (which offers payment options for treatment at our hospitals), information relating to your application will be shared with the BMI Healthcare team which processes these applications and may also be shared with credit checking agencies. 

Please be assured that your medical records would not be shared either with credit checking agencies or with debt collection agencies.  If you do not apply for the BMICard and your bill is paid on time, then no information about you will be shared with these agencies. 

* This section does not apply to health assessment clients as payment for those assessment services is made either by your employer or in advance by you where you pay for these services yourself.

Sharing with regulators or because of a legal obligation

We may share information about you with our regulators, including the Care Quality Commission, Healthcare Improvement Scotland and Healthcare Inspectorate Wales (which inspect our hospitals in England, Scotland and Wales respectively).  Other regulators with whom we may share information about you include the Medicines and Healthcare products Regulatory Agency (which ensures medicines and medical devices used in the UK work and are acceptably safe), the Human Fertilisation and Embryology Authority (which regulates and inspects all our clinics providing fertility services or which store eggs, sperm or embryos), NHS England (which leads the NHS in England) and the Department of Health (the government department responsible for health and adult social care policy). 

Sometimes, we are required to disclose information about you because we are legally required to do so.  This may be because of a court order or because a regulatory body has statutory powers to access patients' or health assessment clients' records as part of their duties to investigate complaints, accidents or health professionals' fitness to practise.  Before any disclosure will be made, we will satisfy ourselves that any disclosure sought is required by law or can be justified in the public interest.   Information about you may also be shared with the police and other third parties where reasonably necessary for the prevention or detection of crime.  On occasion, this may include the Home Office and HMRC.

Audits, surveys and initiatives

In common with all healthcare providers (both NHS and private), we also look at the quality of the care we provide to patients and health assessment clients and participate in national audits and initiatives to ensure that patients are getting the best possible outcomes from their treatment and care and to help patients make informed choices about the care they receive.  We can assure you that your personal information remains under our control at all times and we ensure that, except as described below in relation to Quality Health, the survey provider we use for our patient surveys, any information we provide for national audits and initiatives outside of BMI Healthcare will not contain any information in which any patient can be identified, unless it is required by law.  Any publishing of this data will be in anonymised statistical form. 

We use Quality Health, an independent survey provider, to help us with patient surveys. These surveys allow you to share your views to help us improve the services we offer (our patient satisfaction survey), help us to assess outcomes from your treatment and care (our outcomes survey), and give you the opportunity to share your views to help Consultants improve the services they offer (our consultant survey).

If you undergo a certain type of surgical procedure, you will be invited to complete two outcomes surveys, one survey before your operation and a second survey after your operation. The purpose of these surveys is to help ensure that patients are getting the best possible outcomes from their treatment and care. The outcomes surveys are offered in paper format. If you complete a paper outcomes questionnaire, we will share with Quality Health your name, date of birth, patient record number, and your Consultant's name.

Following your appointment or discharge from hospital, you will be invited to complete our patient satisfaction survey and our Consultant survey. We offer the patient satisfaction survey both in paper and online format. We will share with Quality Health your name and your email address so they can send you a link to the online patient satisfaction survey after you have been discharged. If you include your contact details on the online survey form or on the paper survey form, then Quality Health will hold those details. Quality Health collates and analyses the responses received and passes these to us; unless you choose to include your contact details, we cannot identify individual patients from those responses. 

We offer the Consultant survey in paper format.  If you complete this survey, we will share with Quality Health your name, date of birth, patient record number, the date you attended the hospital for your appointment, and your Consultant's General Medical Council registration number.

We may also ask you questions about the quality of our service at the end of our telephone-based pre-assessment screening.

One of the national programmes we participate in is run by the Private Healthcare Information Network (PHIN) which is an independent statutory entity enabling patients to compare privately-funded healthcare (both hospitals and consultants).  PHIN has its own privacy notice (a copy of which can be accessed via their website).  We may share some of your personal data (including NHS Number in England and Wales, CHI Number in Scotland or Health and Care Number in Northern Ireland, as well as age, gender, ethnicity or race, diagnosis, and details relating to the procedure you underwent) with PHIN.  That would enable PHIN to send this Number to the relevant national information authority (for example NHS Digital in England) which can link it to national hospital and mortality data.  The linked information, with your personal data removed, would then be provided to PHIN to measure quality of care, check for adverse events after discharge from this hospital, such as unplanned readmissions to hospital, emergency transfers between hospitals, or deaths following treatment.  Additionally, the records we send to PHIN will include your postcode to enable statistical processing.  Personal information is treated with high standards of confidentiality in accordance with data protection laws and the duty of confidentiality.  Any information that is published will always be in anonymised statistical form and will not identify you.  This information will not be shared or analysed for any purpose other than those described in this section.  As we are required by law to share this information with PHIN, and it is also necessary for the purposes of the management of the private health sector, we do not need your consent in order to share it. 

Change of hospital ownership

If we were to sell or transfer a hospital or part of our business to another organisation, your patient and health assessment records would also transfer to the new owner.  Limited information may also be shared, where required, with legal and other professional advisors involved in that transaction. 

The reason we would transfer your records is to minimise the disruption to current or past patients caused by the sale or transfer and to ensure we and a new owner were able to comply with our legal obligations regarding the retention of patients' and other clients' medical records and to ensure continuity of care.

Where you have provided us with consent

You may choose to opt in to receiving information about other services BMI Healthcare offers by post or email.

In this case, your consent or decision to opt in is entirely voluntary.  Should you decide not to consent or opt in or should you change your mind at any time, you do not need to give a reason and your medical care and legal rights will not be affected.  You can opt-out by clicking on the 'unsubscribe' button in all our marketing communications. 

Apart from this limited instance, we do not hold or share information about you based on (or at least solely on) consent.

What legal basis does BMI Healthcare have for using information about me?

Data protection law requires that we set out the legal basis for holding and using information about you.  We have set out the various reasons we use information about you and alongside each, the legal basis for doing so.  Given that some information we hold about you is particularly sensitive (as described above), we need an additional legal basis which we have set out in the third column (entitled 'legal basis for more sensitive information') explaining our reason for this.

Reason Legal Basis Additional legal basis for special categories of personal data:
Taking an enquiry and establishing an initial patient or health assessment client record
  • The use is necessary in order to take steps so that you can enter into a contract with us for the delivery of healthcare (or health assessment)
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
Making checks in the event you are applying for the BMICard
  • The use is necessary in order to take steps so that you can enter into a contract with us for the delivery of healthcare or health assessment
  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
Providing healthcare (or health assessment) and related services
  • The use is necessary to provide you with healthcare (or health assessment) and other related services.
  • The use is necessary for fulfilling our contract with you for the delivery of healthcare or health assessment.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • The use is necessary to provide you with healthcare (or health assessment) and other related services.
  • The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent.
  • The use is necessary for an insurance-related purpose.
Seeking and receiving payment of fees, including billing, invoicing and settlement of your account with us including debt collection where applicable
  • The use is necessary to provide you with healthcare (or health assessment) and other related services
  • The use is necessary to fulfil our contract with you for the provision of health assessment services, care and/or treatment
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.
Administration and management of healthcare services (such as maintaining records including patient medical records, receiving professional advice)
  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary to comply with a legal or regulatory obligation.
  • The use is necessary for fulfilling our contract with you for the delivery of healthcare.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.
Communicating with you and resolving any queries or complaints that you might have. Communicating with any other individual that you ask us to update about your care (such as your emergency contact) and liaising with other healthcare professionals about your care
  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary for compliance with a legal obligation.
  • The use is necessary for fulfilling our contract with you for the delivery of healthcare.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • You have given us your consent.
  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.
  • You have given us your explicit consent.
Conducting surveys
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
Complying with our legal and regulatory requirements including investigating complaints or claims and defending or exercising our legal rights
  • The use is necessary for compliance with a legal obligation.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • You have given us your consent.
  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • The use is necessary in order for us to establish, exercise or defend our legal rights.
  • You have given us your explicit consent.
Clinical research and development
  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary for compliance with a legal obligation.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • You have given us your consent.
  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • We need to use the information for reasons of substantial public interest.
  • The use is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care.
  • The use is necessary for public interest or scientific research purposes so long as it is subject to appropriate safeguards.
  • You have given explicit consent.
Safeguarding purposes (for example, in order to ensure the health and safety of an individual)
  • The use is necessary for compliance with a legal obligation.
  • We need to use the information to protect your vital interests or the vital interests of a third party.
  • The use is necessary to provide you with healthcare and other related services.
  • We need to use the information to protect your vital interests or the vital interests of a third party and you or the third party are physically or legally incapable of giving consent.
  • We need to use the information for reasons of substantial public interest, such as the use being necessary in protecting an individual from neglect or physical, mental or emotional harm and protecting the physical, mental or emotional wellbeing of an individual.
  • You have given us your explicit consent.
Preventing and investigating fraud. This might include sharing your personal information with third parties such as the police or fraud prevention agencies, or carrying out fraud, credit, anti-money laundering and other checks
  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • We need to use the information for reasons of substantial public interest
Carrying out marketing activities and providing marketing information to you
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • You have given us your consent.
 
Passing your records to a third party to whom we sold or transferred part of our business or a hospital
  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary for compliance with a legal obligation.
  • The use is necessary to provide you with healthcare and other related services.
  • We need to use the information to protect your vital interests or the vital interests of a third party.

Where and for how long does BMI Healthcare store information about me?

The information about you that we hold and use is held securely in the United Kingdom and stored in paper format and on our secure servers.  However, in some instances, your personal information may be processed for medical purposes or (particularly information not involving your medical information, because there is a legitimate interest or it is necessary for the performance of services to you) outside the European Economic Area ("EEA") where the organisation paying for your health assessment, care or treatment is based outside the EEA or where one of our suppliers is operating outside the EEA.  We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Notice.

We retain your records for certain periods (depending on the particular type of record) under our retention of records policy.  This is to ensure that information is properly managed and is available whenever and wherever there is a justified need for that information, including to support patient care and continuity of care; to support evidence-based clinical practice and to assist clinical and other audits; to support our legitimate interests, and to meet legal requirements.  Your records may be transferred to an off-site storage provider, who will digitise and retain an electronic copy of your records, only.  Your records may not be retained in hard copy form where a digital copy exists. 

If you would like more detailed information on this, please contact our Information Governance & Data Protection Officer (contact details below).

What rights do I have?

Under certain circumstances, you have rights under data protection laws in relation to any personal information that we hold about you.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you wish to exercise any of the rights set out below, please contact the DPO using the contact details set out below.

Details of your rights are set out below.

The right to access your personal information

You are usually entitled to a copy of the personal information we hold about you and details about how we use it.

Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.

You are entitled to the following under data protection law.

Under data protection law we must usually confirm whether we have personal information about you. If we do hold personal information about you we usually need to explain to you:

  • The purposes for which we use your personal information.
  • The types of personal information we hold about you.
  • Who your personal information has been or will be shared with, including in particular organisations based outside the EEA.
  • If your personal information leaves the EEA, how we make sure that it is protected.
  • Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for.
  • If the personal data we hold about you was not provided by you, details of the source of the information.
  • Whether we make any decisions about you solely by computer and if so details of how those decision are made and the impact they may have on you.
  • Your right to ask us to amend or delete your personal information.
  • Your right to ask us to restrict how your personal information is used or to object to our use of your personal information.
  • Your right to complain to the Information Commissioner's Office.

We also need to provide you with a copy of your personal information.

If you are a patient of BMI Healthcare and you wish to request details of or a copy of your medical records, please contact the hospital at which you have received the care and treatment. For all other requests for any personal information we may hold (such as employment records, if you are an ex-employee) please direct your request to the Data Protection Officer, using the contact details below.

The right to request correction of your personal information

We take reasonable steps to ensure that the personal information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.

The right to request erasure of your personal information

In some circumstances, you have the right to request the erasure of the personal information that we hold about you.  This is also known as the 'right to be forgotten'.  However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

The right to object to the processing of your personal information

In some circumstances, you have the right to object to the processing of your personal information. However, there are exceptions to this right and we do not have to "pause" the processing of your information where, in particular, if it is necessary to  keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

The right to request a transfer of your personal information

In some circumstances, we must transfer personal information that you have provided to us to you or (if this is technically feasible) another individual/ organisation of your choice. The information must be transferred in an electronic format.

The right to object to marketing

As detailed in the 'marketing' section above, you can ask us to stop sending you marketing messages at any time and we must comply with your request. You can do this by contacting the DPO.

The right not to be subject to automatic decisions (i.e. decisions that are made about you by computer alone)

You have a right to not be subject to automatic decisions (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on you.

The right to withdraw your consent

You have the right to withdraw your consent where we rely upon this as a legal ground for processing your information. You can do this by contacting our DPO.

The right to complain to the Information Commissioner's Office

You have the right to complain to the Information Commissioner's Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations under data protection law.

Making a complaint will not affect any other legal rights or remedies that you have.

More information can be found on the Information Commissioner's Office website:  https://ico.org.uk/ and the Information Commissioner's Office can be contacted by post, phone, fax or email as follows:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 9 (if you prefer to use a national rate number)

Fax: 01625 524 510

Email: [email protected]

CCTV

We use CCTV in various parts of our hospitals. CCTV is used for the safety and security of our patients, health assessment clients, visitors, and staff.

International Transfers

We (or third parties acting on our behalf) may transfer, store or process information about you in countries outside the EEA. Where this is the case we take the required steps to ensure that your personal information is protected.  As described briefly above in this Privacy Notice we may, from time to time and where it is necessary to do so in order to provide you with the best care and treatment, engage and work with some specialist companies that are based outside of the European Economic Area. This includes providers of specialist medical devices, such as robotic surgical aids and cardiac monitoring, bespoke prostheses and certain genomic testing.  In order to make use of those services, your personal data may have to be transferred to the provider of the device or service in question, all of whom are currently based in the US.  That transfer would only take place where we have agreed the standard contractual clauses prescribed by the EU Commission, which oblige the recipient of your data to ensure that it is appropriately safeguarded. 

We may also transfer specimens to specialist clinics in the US for particular specialised tests, but this will only take place in circumstances where you have been made aware that we propose to do so and have taken your specific consent to allow the transfer (of both the specimen and data).

This list of transfers of personal data outside the EEA is correct as of the date of this Privacy Notice.

Contacting BMI Healthcare and the Information Governance & Data Protection Officer

For further questions or to exercise any rights set out in this Privacy Notice, please contact BMI Healthcare's Information Governance & Data Protection Officer:

Information Governance & Data Protection Officer
BMI Healthcare Limited
1st Floor
30 Cannon Street
London
EC4M 6XH

Email: [email protected]

February 2020