BMI Healthcare Website Privacy Notice

This Privacy Notice sets out what personal information we may collect from you and how that information may be used when using BMI Healthcare's websites – bmihealthcare.co.uk and careers.bmihealthcare.co.uk, and when you interact with us via social media. In particular, this Privacy Notice:

  • explains how we will manage your personal information, from the point of collection and onwards;
  • explains how we use and handle your information, and how we will comply with any relevant laws; and
  • explains your rights in relation to your personal data, and how you can exercise them.

This Privacy Notice does not cover any links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our websites, we encourage you to read the privacy policy of every website you visit.

The websites set out above are not intended or designed for children under the age of 13. We do not intend to or knowingly collect personal information from anyone under the age of 13. If you are under 13 and wish to ask a question or use this website in a way that requires you to submit any personal information, please ask your parents or guardian to do it on your behalf. If we learn that we have unknowingly collected personal information from someone under the age of 13, we will delete such information as quickly as possible.

Introduction

BMI Healthcare is an independent provider of private healthcare, offering treatment to private patients and NHS patients. In order to provide healthcare services, BMI Healthcare need to collect and process certain information about you ("personal data"). This makes BMI Healthcare a 'data controller' for the information that it collects and processes about you, and makes you the 'data subject'.

BMI Healthcare is committed to protecting and respecting your personal information. This Privacy Notice explains what personal information we may collect from you and how that information may be used. Please take your time to read this Privacy Notice carefully.

This Privacy Notice is provided in a layered format so you can click through to the specific areas set out below.

  • 1. About us
  • 2. What personal information do we collect from you and where do we collect it from?
  • 3. Why do we collect your personal information?
  • 4. Who do we share your personal information with?
  • 5. What marketing activities do we carry out?
  • 6. Your rights
  • 7. How long do we keep your personal information for?
  • 8. International data transfers
  • 9. How to contact us

In this Privacy Notice we use "we", "us", "our" or "BMI Healthcare" to refer to BMI Healthcare.

We will advise you in our communications with you of the specific company within the BMI Healthcare group of companies which is making decisions about the use of your personal information.

We may collect information about you when you request any information about us or our services, submit your personal details and/or complete any forms on the website, contact us via social media or use our live chat facilities on our website. This information will come directly from you. In limited circumstances we may also receive information about you on your behalf, such as where you have asked a family member to contact us, or if your GP contacts us directly. Personal information, or personal data, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may also collect special categories of personal information about you. This includes personal information relating to details about your health, and genetic and biometric data, race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, or trade union.

If you provide personal information to us about other individuals (including medical or financial information) you should inform the individual about the contents of this Privacy Notice. We will process such information in accordance with this Privacy Notice.

We have set out details below about the types of personal information we are likely to collect and use about you when you use our websites or interact with us via social media. The extent of the information we collect and use will depend on what information you choose to provide to us or what information is provided to us on your behalf.

Personal data

  • general information you provide, such as your name, address, contact details, date of birth, gender and next of kin
  • information relating to appointments
  • information regarding your ability to pay for services and payment information
  • information regarding your experiences with us
  • information you provide in surveys or feedback
  • information relating to any complaint you may make against us or our staff
  • information about your areas of interest, if you are signing up to receive our update emails
  • information you send in any job application or speculative enquiries in relation to job vacancies, such as employment history or qualifications
  • information when you visit our websites. BMI Healthcare uses Google Analytics and cookies in order to improve our service and user experience and to analyse how the website is used. Aside from the approximate location (IP address), the information collected by Google Analytics is anonymous traffic data including browser information, device information, and language. The collected information is used to provide an overview of how people are accessing and using BMI Healthcare's websites. For more information about our use of cookies, please see our cookie policy.

Special categories of personal data

  • details of your current or former health condition, including information about medication, lifestyle and other information that may be relevant to your health e.g. employment history, family conditions; race; ethnicity; sex life or sexual orientation, religious or philosophical beliefs
  • information relating to criminal convictions (including offences and alleged offences and any court sentence or unspent criminal conviction)
  • in limited circumstances, we may process other sensitive personal information including details of your political opinions; and trade union membership, for example, where it is relevant to your health or social history

We process your personal information for the purposes set out in this Privacy Notice. We will only use your personal data when the law allows us to. Each time we use your data we must have a legal justification to do so. The particular justification will depend on why we are using your data. When the information that we process is classed as "special categories of personal information", we must have a specific additional legal justification in order to use it as proposed.

Generally, we will rely on the following legal grounds for processing your personal data:

  • Taking steps at your request so that you can enter into a contract with BMI Healthcare and/or a clinician to receive healthcare services from us, or for the purposes of that contract. If we have a contract with you, we will process your personal information in order to fulfil that contract (that is, to provide you with our products and services).
  • Taking steps at your request so that you can enter into an employment contract with BMI Healthcare, or for the purposes of that contract.
  • We have an appropriate business need (a 'legitimate interest') to process your personal information and those interests are not overridden by your privacy rights. We will rely on this for activities such as administration and service improvement. Further details of those legitimate interests are set out in more detail below.

We may process special categories of personal information about you because:

  • It is necessary for the purposes of preventive or occupational medicine, providing you with medical diagnoses, providing you with healthcare or for the management of our healthcare services.
  • It is necessary for reasons of substantial public interest, such as insurance-related purposes or for preventing or detecting fraud.
  • The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.

You will find further details of our "legal grounds" for each of our processing purposes set out below.

Providing healthcare and related services

Legal grounds:

  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary for fulfilling our contract with you for the delivery of healthcare.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.

Additional legal grounds for special categories of personal data:

  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent.
  • The use is necessary for an insurance-related purpose.

The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent.

Administration and management of healthcare services (such as maintaining records, receiving professional advice)

Legal grounds:

  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary to comply with a legal or regulatory obligation.
  • The use is necessary for fulfilling our contract with you for the delivery of healthcare.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.

Additional legal grounds for special categories of personal data:

  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.

Service improvement, evaluation and audit (in order to improve the healthcare services that we provide)

Legal grounds:

  • The use is necessary for compliance with a legal or regulatory obligation.
  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.

Additional legal grounds for special categories of personal data:

  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • You have given us your explicit consent.

Communicating with you and resolving any queries or complaints that you might have. Communicating with any other individual that you ask us to update about your care.

Legal grounds:

  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary for compliance with a legal obligation.
  • The use is necessary for fulfilling our contract with you for the delivery of healthcare.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • You have given us your explicit consent.

Additional legal grounds for special categories of personal data:

  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.
  • You have given us your explicit consent.

Complying with our legal and regulatory requirements

Legal grounds:

  • The use is necessary for compliance with a legal obligation.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • You have given us your explicit consent.

Additional legal grounds for special categories of personal data:

  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • The use is necessary in order for us to establish, exercise or defend our legal rights.
  • You have given us your explicit consent.

Clinical research and development

Legal grounds:

  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary for compliance with a legal obligation.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • You have given us your consent.

Additional legal grounds for special categories of personal data:

  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • We need to use the information for reasons of substantial public interest.
  • The use is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care.
  • The use is necessary for public interest or scientific research purposes so long as it is subject to appropriate safeguards.
  • You have given explicit consent.

Safeguarding purposes (for example, in order to ensure the health and safety of an individual)

Legal grounds:

  • The use is necessary for compliance with a legal obligation.
  • We need to use the information to protect your vital interests or the vital interests of a third party.
  • The use is necessary to provide you with healthcare and other related services.

Additional legal grounds for special categories of personal data:

  • We need to use the information to protect your vital interests or the vital interests of a third party and you or the third party are physically or legally incapable of giving consent.
  • We need to use the information for reasons of substantial public interest, such as the use being necessary in protecting an individual from neglect or physical, mental or emotional harm and protecting the physical, mental or emotional wellbeing of an individual.
  • You have given us your explicit consent.

Preventing and investigating fraud. This might include sharing your personal information with third parties such as the police or fraud prevention agencies, or carrying out fraud, credit, anti-money laundering and other checks

Legal grounds:

  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.

Additional legal grounds for special categories of personal data:

  • We need to use the information for reasons of substantial public interest.

Carrying out marketing activities and providing marketing information to you

 Legal grounds:

  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • You have given us your consent.

For employment and pre-employment purposes, such as considering job applications from you, carrying out pre-employment checks and entering into an employment contract

Legal grounds:

  • Taking steps at your request so that you can enter into an employment contract with BMI Healthcare, or for the purposes of that contract.
  • We have a legal or regulatory obligation to use your personal information.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • You have provided your consent to our use of your personal information.

Additional legal grounds for special categories of personal data:

  • We need to use the information for reasons of substantial public interest.
  • It is necessary for the management of our healthcare services.
  • It is information that you have made public.
  • You have provided your explicit consent.

From time to time, we may share your personal information with others. We will keep your personal information confidential and only share it with those listed below for the purposes explained in the previous section.

Sharing within the BMI Healthcare group of companies

We may share your information with other companies in the BMI Healthcare group, for example, in order to provide you with healthcare services or progress your employment application.

Sharing with third parties

We may share information with the following third parties:

  • Clinicians or other healthcare professionals involved in your treatment
  • Other staff involved in your healthcare, such as receptionists, secretaries and administrative assistants
  • Organisations from which you are receiving healthcare services, such as your GP or dentist
  • Third parties who are involved in your healthcare, such as insurers
  • Other private sector healthcare providers
  • The Private Healthcare Information Network
  • Third parties involved in research or audit projects
  • NHS organisations, including NHS Resolution, NHS England, Clinical Commissioning Groups, NHS Foundation Trusts, NHS Trusts, or the Department of Health as well as third parties that have contractual relationships with such NHS organisations
  • Government bodies such as the Home Office and HMRC
  • Regulators, such as the ICO, the Care Quality Commission, Health Inspectorate Wales, and Health Improvement Scotland
  • The police and other third parties where reasonably necessary for the prevention or detection of crime
  • Anyone that you have asked to communicate with us on your behalf, or have named as an emergency contact, such as your representative, next of kin or carer
  • Debt collection agencies
  • Our insurers
  • Our third party services providers and advisers, such as IT suppliers, actuaries, auditors, lawyers, marketing agencies, document storage and management providers and tax advisers
  • Preferred partners for credit agreements
  • Credit referencing agencies
  • Any third parties involved in the sale, transfer or disposal of all or a part of our business

We may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone.

We may use your information to provide you with information about products or services which may be of interest to you where you have provided your consent for us to do so.

Where you are receiving marketing information by email, you can unsubscribe by clicking on the link within the email that has been sent to you, or via your MyBMI personal account.

We occasionally pass your information on to market research companies which carry out surveys and collate feedback on our behalf. We use this information to help improve our services and develop and improve products.

If you do not wish to receive non-email based marketing information or do not want us to pass your information on to market research organisations, please contact our Data Protection Officer ("DPO") using the contact details below.

What automated decision-making do we carry out in relation to your personal information?

An automated decision is a decision made by computer without any human input. We do not currently carry out automated decision-making ('profiling') in respect of your personal information. However, as explained above when you visit our websites, BMI Healthcare uses cookies to improve services and user experience and to analyse how the website is used. This may include targeted advertising if you have opted-in to these cookies. Further information can be found in the cookies policy.

Under certain circumstances, you have rights under data protection laws in relation to any personal information that we hold about you.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you wish to exercise any of the rights set out below, please contact the DPO using the contact details set out below.

Details of your rights are set out below.

The right to access your personal information

You are usually entitled to a copy of the personal information we hold about you and details about how we use it.

Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.

You are entitled to the following under data protection law.

Under data protection law we must usually confirm whether we have personal information about you. If we do hold personal information about you we usually need to explain to you:

  • The purposes for which we use your personal information.
  • The types of personal information we hold about you.
  • Who your personal information has been or will be shared with, including in particular organisations based outside the EEA.
  • If your personal information leaves the EU, how we make sure that it is protected.
  • Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for.
  • If the personal data we hold about you was not provided by you, details of the source of the information.
  • Whether we make any decisions about you solely by computer and if so details of how those decision are made and the impact they may have on you.
  • Your right to ask us to amend or delete your personal information.
  • Your right to ask us to restrict how your personal information is used or to object to our use of your personal information.
  • Your right to complain to the Information Commissioner's Office.

We also need to provide you with a copy of your personal information.

If you are a patient of BMI Healthcare and you wish to request details of or a copy of your medical records, please contact the hospital at which you have received the care and treatment. For all other requests for any personal information we may hold (such as employment records, if you are an ex-employee) please direct your request to the Data Protection Officer, using the contact details below.

The right to request correction of your personal information

We take reasonable steps to ensure that the personal information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.

The right to request erasure of your personal information

In some circumstances, you have the right to request the erasure of the personal information that we hold about you.  This is also known as the 'right to be forgotten'.  However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

The right to object to the processing of your personal information

In some circumstances, you have the right to object to the processing of your personal information. However, there are exceptions to this right and we do not have to "pause" the processing of your information where, in particular, if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

The right to request a transfer of your personal information

In some circumstances, we must transfer personal information that you have provided to us to you or (if this is technically feasible) another individual/ organisation of your choice. The information must be transferred in an electronic format.

The right to object to marketing

As detailed in the 'marketing' section above, you can ask us to stop sending you marketing messages at any time and we must comply with your request. You can do this by contacting the DPO.

The right not to be subject to automatic decisions (i.e. decisions that are made about you by computer alone)

You have a right to not be subject to automatic decisions (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on you.

The right to withdraw your consent

You have the right to withdraw your consent where we rely upon this as a legal ground for processing your information. You can do this by contacting our DPO.

The right to complain to the Information Commissioner's Office

You have the right to complain to the Information Commissioner's Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations under data protection law.

More information can be found on the Information Commissioner's Office website:  https://ico.org.uk/

Making a complaint will not affect any other legal rights or remedies that you have.

We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations.

We (or third parties acting on our behalf) may transfer, store or process information about you in countries outside the EEA. Where this is the case we take the required steps to ensure that your personal information is protected.

Our Data Protection Officer ("DPO") helps us to make sure that the BMI Healthcare group of companies comply with data protection law. Our DPO has responsibility for data protection compliance in respect of the companies set out above.

The DPO can be contacted by:

If you would like further information about any of the matters in this Privacy Notice or have any other questions about how we collect, store or use your personal information, please contact the DPO using the details above. Please also contact the DPO if you have any feedback about this Privacy Notice.

Updates to this Privacy Notice

We may update this Privacy Notice from time to time to ensure that it remains accurate.

This Privacy Notice was last updated on 18thApril 2019.