1 General information
This privacy notice tells you what to expect us to do with your personal information when you contact us or use one of our services.
This notice is layered. So, if you wish, you can easily select the reason we process your personal information and see what we do with it.
The first part of the notice is information we need to tell everybody.
1.1 Contact details
Connect Health Ltd. is the controller for the information we process, unless otherwise stated.
There are many ways you can contact us, including by phone, email and post. More details about how you can contact us can be seen here.
Our Head Office postal address is:
The Light Box,
Quorum Park,
Benton Lane,
Newcastle upon Tyne,
Tyne and Wear,
NE12 8EU
Our interim Data Protection Officer is Umar Sabat. You can contact him at dpo@connecthealth.co.uk or via our postal address. Please mark the envelope ‘Data Protection Officer’.
1.2 How do we get information?
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- You are an NHS patient, where we provide musculoskeletal services in partnership with the NHS.
- You are patient of our Occupational Health Physiotherapy Services.
- You have applied for a job or secondment with us.
- You have visited our offices or our website.
- You have attended one of our events.
We may monitor and record communications with you, such as telephone conversations and emails, for quality, training and compliance purposes.
We also receive personal information indirectly, in the following scenarios:
- You are an NHS patient that has been referred to our services by your GP practice.
- You are a patient and as part of your treatment you have had an assessment or test at a hospital or specialist.
- You are a patient and as part of your wider care you are receiving support from other organisations, such as community services, care homes, hospices, social services and housing support.
- An employee of ours gives us your contact details as an emergency contact or a referee.
- You are an employee of one of our customers, potential customers, or business partners.
We will only use your personal information for the purpose(s) for which we have obtained it. We may process your information without your knowledge or consent where this is required by law.
1.3 Sharing your information
We will not share your information with any third parties for the purposes of direct marketing.
We will not transfer any of your information to a separate organisation or individual outside of the EU.
In some limited circumstances we may be legally obliged to share information. For example, under a court order.
We use third parties to provide elements of services for us, such as NHS patient records management systems. We have contracts in place with these third parties. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
1.4 Your information protection rights
Under information protection law, you have rights we need to make you aware of. The rights available to you depend on the reason for processing your information.
- Right to be informed: organisations must tell individuals what information is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
- Right of access: individuals have the right to request a copy of the information that an organisation holds on them.
- Right of rectification: individuals have the right to correct information that is inaccurate or incomplete.
- Right to be forgotten: in certain circumstances, individuals can ask for the information an organisation holds on them to be erased from their records.
- Right of portability: individuals can request that organisation transfer any information that it holds on them to another company.
- Right to restrict processing: individuals can request that an organisation limits the way it uses personal information.
- Right to object: individuals have the right to challenge certain types of processing, such as direct marketing.
- Right related to automated decision-making including profiling: individuals are free to request a review of automated processing if they believe the rules aren’t being followed.
You have the right to obtain information from us as to whether we are processing your personal information and if we are, to request a copy of the personal information we hold about you. This is known as a ‘Subject Access Request’. If you wish to make a subject access request, please do this via recordsrequest@connecthealth.co.uk. You will not have to pay a fee to access your personal information or to exercise any of your other rights. However, we may charge a reasonable fee should your request be clearly unfounded, repetitive or excessive. We will do our best to respond to your request within 28 days. However if that is not possible due to the number or complexity of requests, we will notify you and keep you updated.
Where you have provided consent for us to process your personal information, please note that you have the right to withdraw this consent at any time.
1.5 Complaints
We aim to meet the highest standards when collecting and using personal information, however if you have any complaints or concerns about any aspect of this privacy policy and the ways in which we obtain, store, manage or destroy personal information, then please contact us via feedback@connecthealth.co.uk.
Alternatively, you can raise an issue, if you feel we have in any way handled your personal information unfairly or inappropriately, with the Information Commissioners Office. Further details on GDPR and information protection laws can also be found at the ICO website.
1.6 Security
The protection of privacy and confidentiality are given the highest priority, with all personal information being collected, held and used in strict compliance with the Data Protection Act 2018 and the General Information Protection Regulations (GDPR) 2018.
Information is retained in secure electronic and paper records and access is restricted to those who need to know. It is important that your information is kept safe and secure to protect your confidentiality. There are a number of ways in which your privacy is shielded:
- By removing your identifying information.
- By using an independent review process.
- By adhering to strict contractual conditions.
- By ensuring strict sharing or processing agreements are in place.
- By managing who has access to what information (user access controls).
Our staff have a common law and contractual duty of confidentiality to protect your information.
2 Reason for contacting us
This section of the privacy notice provides information that is specific to your reason for contacting us.
2.1 You are a patient
What information do we hold?
As providers of health care services, we have a legal duty to collect and process information relating to the creation of medical records.
We only hold information that is relevant to your care and treatment. This may include:
- Basic details such as name, address and contact details.
- Details of contact we have had with you throughout your treatment with us.
- Professional information (such as job title, role and duties) if your occupation is relevant to your care and treatment.
- Details of the services you have accessed.
- Treatment notes and reports about your health and any treatment you have received.
- Your feedback and treatment outcome information.
- Information surrounding complaints and incidents which may have arisen.
- Recordings of calls, inbound and outbound.
- Any other personal information we collect in the course of providing our services or in the course of operating our business.
What we do with your information?
We collect personal information about you which will be used to support the delivery of appropriate, high quality care and treatment and provide a medical diagnosis. For further information about our patient services, please see:
NHS Services
In general, we use your information to provide our services to you, including:
- To help inform decisions that we make about your care.
- Ensure your treatment is safe and effective.
- Record keeping and administration purposes.
- To safeguard children and vulnerable adults.
- To plan our services to ensure we can meet future needs.
- To review care provided to ensure it is of the highest possible standard.
- To train health care professionals.
- For research and statistical analysis.
- Providing you an opportunity to complete a satisfaction survey.
- Process and respond to complaints, concerns or incidents.
- Comply with other legal, professional or regulatory obligations imposed on us.
- Audit our services.
We may use third parties to help provide you with care and treatment. For example, PhysioNow, which is a digital self-assessment tool that helps you rapidly get the best care to manage your symptoms or injury, is powered by EQL’s Phio.
Lawful basis for processing
Although we will always seek your consent for the medical treatment itself, this is entirely separate from our data protection obligations. We rely on the following legal reasons for processing your personal information:
- Consent: We will tell you how your information will be used and seek your consent, where it can be freely given.
- Contractual necessity: We will process your personal information when it is necessary to perform a contract. For example, where we provide services to you that are fund by the NHS or your employer.
- Legal obligation: We will process your personal information when it is necessary to comply with a legal or regulatory obligation (e.g. identity checks, external auditing).
- Legitimate interests: We will process your personal information when we or a third party have a legitimate interest in processing it (e.g. ensuring our business policies are adhered to or improving our business through research and statistical analysis). We only process for this reason if the legitimate interest is not overridden by your own interests or fundamental rights or freedoms.
- Perform a public task: For NHS patients the processing is necessary for the performance of a task carried out in the public interest.
Information pertaining to your health is classified as ‘special category information’. We will process this information on the basis that it is necessary for medical diagnosis, the provision of health care services and historical research purposes or statistical purposes.
Sharing your health record
We will not disclose any health information to third parties unless there are specific circumstances as outlined below:
- To provide the best possible care, it may be necessary to share your health information with others. For example, with your GP, a consultant or the hospital which treats you. We will discuss this with you and seek your consent.
- We will make it clear if we are providing a service as part of multi-agency team or partnership where we may be required to share your health information with the lead organisation.
- We may need to share limited and more general information as part of the contractual arrangements with the NHS or your employer (if they are funding the treatment).
- In exceptional situations, we may need to share information without your consent if:
– it is in the public interest – for example, there is a risk of death or serious harm.
– there is a legal need to share it – for example, to protect a child under the Children Act 1989.
– a court order tells us that we must share it.
– there is a legitimate enquiry from the police for information related to a serious crime.
Connect Health will always do its best to notify you of this sharing.
How the NHS and care services use your information
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance, to help with:
- improving the quality and standards of care provided.
- research into the development of new treatments.
- preventing illness and diseases.
- monitoring safety.
- planning services.
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential NHS patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential NHS patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt-out, please visit www.nhs.uk/your-nhs-data-matters.
On this web page you will:
- See what is meant by confidential patient information.
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care.
- Find out more about the benefits of sharing data.
- Understand more about who uses the data.
- Find out how your data is protected.
- Be able to access the system to view, set or change your opt-out setting.
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone.
- See the situations where the opt-out will not apply.
You can also find out more about how patient information is used at:
- https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
- https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
How long we hold your health records for
As a Healthcare organisation we have a legal and regulatory obligation for health care records to be kept for a minimum period of time. We will typically keep your information for a period of 8 years after the end of your care.
NHS login
Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS login’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
2.2 Job applicants
What information do we hold?
We may hold the following types of information when processing your application:
- Name, address and date of birth.
- Details of your employment history and qualifications.
- References.
- Proof of your identity and right to work.
- Any other personal information we collect in the course of progressing your application.
What do we do with your information?
Connect Health holds information to assess your suitability for any role you have applied for.
More details about our vacancies can be seen here.
Lawful basis for processing
We rely on the following legal reasons for processing your personal information:
- Consent: We will process your personal information where you have given your consent.
- Contractual necessity: We will process your personal information when it is necessary to perform a contract you have entered into or in order to take steps at your request prior to entry into a contract.
- Legal obligation: We will process your personal information when it is necessary to comply with a legal or regulatory obligation (e.g. right to work checks or to make reasonable adjustments you require under the Equality Act 2010).
- Legitimate interests: We will process your personal information when we have a legitimate interest in processing it (e.g. arranging interviews or assessments, ensuring our business policies are adhered to or improving our business by monitoring and recording information relating to our recruitment processes). We only process for this reason if the legitimate interest is not overridden by your own interests or fundamental rights or freedoms.
Additionally, if your application involves more sensitive information, which is classified as ‘special category information’, we may have obligations relating to employment and the safeguarding of your fundamental rights.
How long we keep it
We’ll use all the information you provide during the recruitment process to progress your application with a view to offering you an employment contract with us, or to fulfil legal or regulatory requirements if necessary.
We will only hold information as long as it is necessary for the recruitment processes.
2.3 Visitors to our offices
What information do we hold?
If you visit our offices, we may hold the following types of information about you:
- Name and contact details if you sign in and out at reception.
- Closed-circuit television (CCTV) recordings.
- Device details and activity information if you use our guest WiFi.
What do we do with your information?
We may ask you to sign in and out at reception to help us identify and supervise visitors. Particularly in the event of a fire or emergency.
Some of our offices have guest WiFi and closed-circuit television (CCTV). We need to hold and process limited device and information about your use of the guest WiFi to help us manage and secure our WiFi. We use CCTV systems to help provide safe and secure locations for our patients and staff.
We also provide services from building that we do not directly manage, which may have guest WiFi or CCTV that is not operated by us, so we are not the controller. It will be under the control of the relevant building landlord.
Lawful basis for processing
We rely on the following legal reasons for processing your personal information:
- Legitimate interests: We will process your personal information when we have a legitimate interest in processing it (e.g. to provide a safe and secure location for our patients and staff and maintain the integrity of our IT systems).
Sharing your visitor information
We would only share your visitor information in exceptional situations. For example, if:
- it is in the public interest – for example, there is a risk of death or serious harm.
- a court order tells us that we must share it.
- there is a legal need to share it – for example, to protect a child under the Children Act 1989.
How long we keep it
We will only hold visitor information as long as it is necessary to provide safe and secure locations for our patients and staff. CCTV recording are typically only held for a few weeks.
2.4 Attending an event and marketing
What we do with your information?
If you attend an event, we may ask for information to help us manage the event, such as your name and contact details. We will let you know if an online event may enable other attendees to view your name or contact details.
We maintain a contact list for marketing to business customers and partners, which may contain information such as name, contact details, role and organisation. We may use this information to invite individuals to specific events or to send them information about our services. At any point you can let us know that you no longer wish to receive marketing information.
Lawful basis for processing
We rely on the following legal reasons for processing your personal information:
- Consent: We will seek your consent where possible.
- Legitimate interests: We will process your personal information when we have a legitimate interest in processing it. For example, in order to manage events or maintain contact with existing or potential business customers.
How long we keep it
We will only hold event information as long as it is necessary to manage the event or series of events.
We will only hold contact information for marketing purposes whilst they appear current or until an individual has requested that it be deleted. Where an individual has opted out of marketing, we will retain limited information to help ensure that we do not send them further marketing messages.
2.5 Visitors to our website
What we do with your information?
This site uses cookies, which are small text files that are placed on your machine to help the site provide a better user experience. The purpose for implementing cookies is to maintain and monitor the performance of our website and to constantly look to improve the site and the services it offers to our users. Please see our Cookie Policy.
We also use analytics, to collect standard internet log information and details of visitor behaviour patterns.
Lawful basis for processing
We rely on the following legal reasons for processing your personal information:
- Consent: We require your consent for the optional cookies we use.
- Legitimate interests: We will process your personal information when we have a legitimate interest in processing it. For example, in order to maintain the integrity of our IT systems and the continuity of our business.
How long we keep it
We will only hold visitor information as long as it is necessary to maintain the integrity of our IT systems and the continuity of our business.
2.6 Privacy notices
What is a privacy notice?
A privacy notice requires organisations to provide certain information about processing activities. A privacy notice is one way of providing information to individuals who this affects, This is sometimes referred to as a fair processing notice.