About this Privacy Notice
The confidentiality of patient information is of paramount importance to The Rutherford Cancer Centres Limited. This Privacy Notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us in accordance with UK data protection legislation.
We may need to update this Privacy Notice from time to time and where we are already processing your personal data we will notify you of any significant changes.
Who we are
The Rutherford Cancer Centres Limited is a Company registered in England and Wales (company number 10680302).
We operate a network of oncology centres nationally and internationally, providing a range of cancer services for patients. We are a wholly owned subsidiary of Proton Partners International Limited, a company incorporated and registered in England and Wales (company number 09420705) committed to providing innovative cancer treatment.
Information about our services is available on our website http://www.therutherford.co.uk/about-us/
Where the term ‘we’ or ‘us’ is used, this relates to Proton Partners International Limited and The Rutherford Cancer Centres Limited.
Our nominated representative, for the purpose of the Data Protection Act, is our Data Protection Officer whose contact details can be found at the end of this notice.
We employ a range of healthcare professionals to deliver our services, including nurses, radiographers, physicists, dosimetrists, play therapists, medical advisors, and a range of administrative roles.
In addition to our employed staff, medical practitioners and allied health professionals register with us to hold a private practice licence. Medical practitioners (often referred to as consultants) and allied health professionals are self-employed independent practitioners who must comply with our policies and procedures and ensure the safe processing of information within their private practice. You will be provided with information about their services and fees as part of the booking process.
At all times, healthcare professionals are responsible for complying with data protection legislation when handling your personal data, including any processing carried out by their private secretaries.
They are bound by our confidentiality and security policies, and applicable medical confidentiality guidelines, as well as their own codes of practice issued by their respective professional and regulating bodies which include the Health and Care Professions Council, General Medical Council, Nursing and Midwifery Council.
Processing personal data in line with data protection legislation
We will process your personal data in line with data protection legislation as follows:
- We will always process personal data lawfully and fairly and in a transparent manner. We will ensure this Privacy Notice is available on our website and relevant extracts are provided when you register for our services.
- We will process personal data to provide the range of services available at the Rutherford Cancer Centres and as described in this Privacy Notice.
- We will ensure that whenever we collect personal data it is adequate, relevant and not excessive in relation to the purpose for which it is being processed.
- We will ensure information processed is accurate and kept up to date by asking you to confirm when you access our services that the information we hold about you is correct.
- We will ensure that your personal data is kept in a form that allows us to identify you for clinical purposes but is not kept in an identifiable format for longer than is needed. Where we need to keep your identifiable data longer for scientific, research or statistical purposes we will ensure that the appropriate technical and organisational measures are applied to protect the confidentiality of the information.
- We will ensure that the processing of your personal data is done so to ensure the security and confidentiality of the data. This means that we have policies, procedures and training in place to ensure robust security controls are applied to the processing of your data.
What is personal data?
The term ‘personal data’ relates to any information that can, or has the potential to, identify you as an individual such as your name, address, e-mail address, phone number. It also includes less obvious information such as identification numbers, electronic location data and other online identifiers.
Certain types of personal data are referred to in data protection legislation as ‘special categories’ of data. This is because they are classed as more sensitive and require additional protection.
Such information includes information about an individual’s:
- Ethnic origin
- Trade union membership
- Biometrics (where used for identification purposes)
- Sex life
- Sexual orientation
What personal data do we collect?
We collect personal data and special category data (where relevant). The type and amount of personal data we collect will depend on our relationship with you as described below:
Making enquiries about our services
When you contact us in person, by telephone, email, fax, letter, social media or through completion of a website enquiry form, to enquire about the services we offer, we will only collect personal data that is necessary to enable us to respond to your enquiry. The type of information collected will depend on the type of enquiry.
The types of information we will routinely collect on an enquiry will include:
- Contact details
- Nature of enquiry
To help us deal with your enquiry we may also need to collect more detailed information about your personal circumstances and health such as:
- Current health condition
- GP and, or, consultant details
- Information on current treatments
We may need to share your information with our team of healthcare professionals and medical practitioners to help us provide you with the most appropriate response to your enquiry.
If you provide personal information about another individual, you must inform them of this Privacy Notice. We will never relay or discuss personal information we hold about an individual to another individual without their consent or where evidence is provided of a lawful basis i.e. power of attorney.
When a referral is received for treatment
When an initial referral is received asking us to consider you for consultation and, or treatment, personal data is provided to us by the referring source. The sources from where we receive information may include, and are not limited to:
- Patient self-referral
- Clinicians (including their medical secretaries)
- Hospital and healthcare provider establishments
- Commissioning bodies
Information that may be received may include your personal contact details, information on your medical history, diagnosis and conditions. As part of the consultation and booking process we may also request and receive scans and images from other healthcare providers.
Personal data in addition to health data
In addition to receiving information on your health status and condition, we will also process personal information that is required to prepare for, and to enter into, a contract for services. This may include payment method information, information from your insurers, agency, or commissioning body (where relevant). Additional types of processing may also occur when you contact and access our services. Additional processing of personal data includes:
- Use of CCTV
We use CCTV cameras in our centres to protect the safety of our visitors, premises and our car parks. Personal images may be captured during recording. Signs are clearly displayed to inform of CCTV recordings and will only be undertaken in public areas such as car parks and entrances to centres. All recordings are held securely and deleted after 30 days in line with our retention policy.
- Call recording
When you contact our centres by telephone, calls may be recorded for training and monitoring purposes. Calls are held securely and only accessed by specified roles who sample calls to monitor the quality of the information provided. Recorded calls may be used for internal training purposes.
Personal data is collected and recorded electronically, and in paper form, as part of the booking and treatment process at the Rutherford Cancer Centres.
Health records are created to record care and treatment received as a patient. The type of information collected and recorded in your health record may include and not limited to:
- Personal data in relation to; your name, address, date of birth, ethnicity, contact details and next of kin
- Medical history, referral, diagnosis, tests, scans, images, treatment, information on appointments, GP and referring clinician
Health records are created and stored under strict security and confidentiality controls which include unique system access to electronic records and physical security of hardcopy information.
Only information necessary for the arrangement and provision of treatment is collected. Information received and created is stored securely and is only accessed and shared by those involved in your treatment and care.
Roles involved in your treatment and care may include medical and administrative staff, finance staff responsible for coding and invoicing your treatment, multi-disciplinary care teams, clinical audit leads, consultants and private secretaries who are responsible for the administration of appointments.
Use of data for Monitoring, Audit and Research
It is important to us that we monitor the accuracy and quality of treatment we provide. In addition, one of our key objectives at the Rutherford Cancer Centres is to undertake and contribute to research in the field of oncology.
Therefore, personal data collected when you access our services may be reviewed by:
- Internal auditors who will assess that information has been collected and recorded accurately
- External auditors such as regulating bodies to check that accurate information has been recorded (where such audits are carried out, strict confidentiality guidelines are adhered to)
- Insurance companies, where you have accessed our services under your insurance policy – specialist clinical roles within the insurance company may request certain data to check that we are providing a high quality clinical service for their customers
- Commissioning bodies such as the NHS where we provide a contract for clinical services, may undertake audits on the quality of our care
In addition, we support and participate in audit and research programmes to enable the analysis and measurement of the effectiveness of treatment. We may share data with ethically approved third party research organisations only to the extent that it is necessary to do so in assisting research and as permitted by law.
We share patient data with UK National Cancer Registries who undertake research into cancer treatments. We do this to contribute to research into cancer. In order to register your case of cancer we need to know some details about you (such as your name, address, age and sex) as well as information about the type of cancer or condition you have, and your treatments. The National Cancer Registries use this information to produce cancer statistics, anonymised reports and for research. It can help them to identify possible causes of cancer and to find out about the best treatments. Reports or data that is used for analysis or published is anonymous and will never identify any particular person, even if they have a rare cancer.
We can lawfully share the necessary patient data with such registries where the registry has received statutory approval. We may also share anonymised and aggregated patient information with organisations such as the National Institute for Heath and Clinical Excellence.
How we communicate with you
We may communicate with you by letter, telephone, email, or text. We will ask you which method of communication you prefer. It is important that you provide us with accurate information so that we can ensure the information we relay to you is done so in a confidential manner.
Where you request to receive all your information by email we may not be able to guarantee the security of information sent over the internet, but will discuss with you the options for password protecting and encryption of confidential health information that are sent by email.
It is important that we review and assess the quality of our services. Therefore, where you have accessed our services, we may contact you to ask you to complete a patient satisfaction survey.
It is also important that we monitor the outcomes of treatments provided, this is known as Patient Reported Outcome Measures (PROMS). To monitor outcomes, we may ask you to complete questionnaires relating to your health and quality of life or be interviewed over a period of time. We will talk to you about this during your treatment.
What is our lawful basis for processing your personal data?
Under data protection legislation we must always have a lawful basis for using personal data and special category data (as described earlier). The law provides a set of lawful purposes for processing personal data and special category data.
Depending on the reason for us processing your personal data, there may be several lawful purposes that will apply, and which may be relevant at different times. This section describes the lawful basis for processing personal data and special category data at the Rutherford Cancer Centres.
When you contact us and ask us for information with a view to receiving services from us, or you request to receive services and treatments from us, we process your personal data to meet those requests. The type of processing we undertake is described in this Privacy Notice and includes, and is not limited to, the processing of your personal and health information along with payment information.
We therefore rely on this lawful basis for processing:
‘The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.'
As a provider of health care services, we are required to comply with a range of legal and regulatory requirements for the treatments and services we provide. These include and are not limited to; recording decisions made in relation to Ionising Radiation Protection (Medical Exposure) Regulations (IRMER), and creation of accurate records of the medicines administered to patients in line with the Medicines and Healthcare Products Regulatory Agency.
There may be occasions where complaints or claims are made against us or an independent medical practitioner. It is therefore important that accurate information has been recorded about the treatment provided to a patient as this may be required as part of investigating the complaint or claim.
In addition, various bodies regulate healthcare providers who have the legal powers to require information to be disclosed to them about patients as part of their audit processes. Where such access is given the information is reviewed under strict confidentiality requirements.
We therefore rely on the following lawful purpose:
'Processing is necessary for compliance with a legal obligation to which the controller is subject.'
The ‘vital interests’ lawful basis is relevant for emergency medical care, when we may need to process personal data for medical purposes, but the individual is incapable of giving consent to the processing.
For example, if an individual is admitted to an A & E department of a hospital with life-threatening injuries following an accident, the disclosure to the hospital from the Rutherford Cancer Centres of the individual’s medical history is necessary to protect his/her vital interests.
We would therefore rely on the following lawful purpose should this situation arise:
'Processing is necessary in order to protect the vital interests of the data subject or of another natural person.'
Rutherford Cancer Centres participate in medical research and may share data with ethically approved research organisations. Some research projects and registries have statutory approval and, in these circumstances the minimal amount of personal data needed for the research purpose will be shared securely. We may also process data where we carry out contracts for the NHS and who are required to process data in line with public interest.
We therefore rely on the following lawful purpose:
'Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.'
The term ‘legitimate interests’ relate to our normal business activities which we carry out, and which would reasonably be expected as part of the running of our business and which does not impact your rights, freedoms or interests.
The processing of personal data falls within our commercial interests as a provider of healthcare services and our aim to contribute to broader societal benefits in relation to the research and development into proton therapy. The processing of your personal data is necessary in order for us to provide a healthcare service to you.
Data protection legislation requires that any processing must be ‘necessary’ and on all occasions we must balance our interests as a company against those of the individual’s. If the individual would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override our legitimate interests. We will always ensure that our legitimate interests do not cause unjustified harm to you.
Our company’s aim is to deliver diagnostics, planning, treatment and research in the field of oncology and therefore personal data is collected and processed to achieve this aim.
We therefore rely on the following lawful purpose
'The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.'
Special Category Data
In the planning and delivery of our services, it is necessary for us to process special category data in relation to responding to enquires you make about treatments and services, and for providing treatment and services to you.
The lawful process by which we are able to process special category data is as follows:
‘Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.’
There may be situations where complaints or claims are made against us a company or against our independent medical practitioners and where the processing of special category data is necessary to respond to those complaints or claims.
The lawful purpose we would reply on for special category data in these circumstances is as follows:
‘Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.'
Where we participate in national research programmes such as National Cancer Registries, or undertake quality audits, this participation will involve the processing of special category data.
The lawful process by which we may process special category data in this way is as follows:
‘Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.'
‘Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.'
We will always ask for your consent to send you information on our services and treatments. You can opt in to receiving information when you complete a registration form as part of your treatment or through forms and mailing list options that may be available on our websites.
There may be other circumstances where we require your consent such as involvement in specific research projects. Wherever the processing of your personal data requires consent we will ensure we provide you with full information to allow you to make an informed decision:
‘The individual has given clear consent for you to process their personal data for a specific purpose.’
Who your information is shared with
Disclosures within the company
The Rutherford Cancer Centres Limited is a subsidiary of Proton Partners International Limited. Proton Partners International Limited provides central resources to the Rutherford Cancer Centres including finance, governance, internal auditing, senior management, marketing, health and safety and business development.
Types of processing of personal data that is undertaken by Proton Partners International Limited may include and not limited to; invoicing and accounting, review of records in relation to internal audit, review of health, safety and clinical incidents, management of mailing lists where individuals have opted in, review and management of complaints.
Access to your personal data and your health information is strictly controlled to ensure access is only allowed to those roles that require access and is in line with the lawful processes described in this notice.
You can object to us sharing your information (unless the sharing is required by law). Objections can be raised at any point before or during your treatment however this may impact upon our ability to provide you with treatment.
For your benefit, we may need to share your personal data as part of your treatment and care with other healthcare organisations e.g. your GP, NHS, ambulance services, and organisations who provide support services to us (diagnostic services, wellbeing services etc.).
Any sharing of personal data will only be undertaken where it is deemed ‘necessary’ in relation to your care and treatment and, where such data sharing is undertaken, contracts and data sharing agreements will be in place with the third party which stipulate the confidentiality and security and use of data shared.
Routine disclosures of personal data may include disclosures to:
- Clinical roles involved with the planning and treatment of your care
- Medical practitioners who review and advise on your treatment and care
- Support roles such as bookings and reception staff and enquiry handlers
- Individuals you have identified as emergency contacts
- NHS bodies
- Your clinician overseeing your care and their medical secretaries
- Where you access services through your insurance policies, we will liaise with your insurer over your treatment and care and may be required to disclose information for the purpose of quality assurance.
We may also share your personal information with family or friends that you have given us as emergency contacts.
Within the day to day running of our business, we may use third party organisations to support the essential delivery of services. These may be; IT service providers, storage & shredding companies, debt management companies. We may also be required to share personal information to prevent fraud and to assist the police in the prevention and detection of a crime.
Where third party organisations are used, who may have access to your personal data, we ensure that a contract is in place and security checks are undertaken.
Where we, or third party companies who we engage with, ‘process’ data (transfer, store) outside of the European Economic Area ("EEA") we ensure that appropriate security checks are undertaken and that processing is in line with the data protection legislation.
Where data is processed outside of the EEA, it will be processed by staff operating outside the EEA who work for us or for third party companies engaged by us.
How we protect the security and confidentiality of your personal data
All employees are bound by contractual confidentiality clauses in employment contracts, receive mandatory training in data protection and confidentiality and process information under the direction of mandatory policies and procedures. Audits are carried out to ensure information recorded and created is accurate, up to date and kept securely.
We would like to keep you updated on the services and treatments that we provide at our cancer centres but will only do this where you have opted in to receive such updates. When you access our services you are provided with an option to join our mailing list. You may also have the opportunity to opt in through links or forms when you visit our website. When you opt in to receive information on our services, should you wish to stop receiving updates you can contact us and we will remove you from any mailing lists.
We never share or sell your data to external marketing companies.
Your rights under data protection legislation
The right to be informed
You have the right to be informed of how we process your personal data. We inform you of how we process your data, through the provision of this Privacy Notice, and in notices we provide when you register for our services. We also inform you of other types of processing such as call recording or CCTV through notices and recorded messages. You can also contact us at any time to query any aspect of the processing of your data.
The right to access your personal information
You may contact us to request details of the type of processing we carry out on your personal data and a copy of the personal information which we hold about you. This is known as a Subject Access Request and must be submitted in writing to either the centre manager at the Rutherford Cancer Centre where you have accessed services or directly to the Data Protection Officer at the address shown below.
We must process your request within one month of receipt of the request, however, if it is a complex request we may need to extend this by up to two months. You will be kept informed if an extension is required.
The right to rectification
You have the right to have incorrect personal information amended or completed if it is incomplete.
The right to erasure
You have the right to request that we delete the personal information we hold about you. However, there are exceptions to this and in certain circumstances we may not be able to comply with your request. For example, the right of erasure of personal information does not apply to special category data where it is being processed for medical diagnosis and the provision of health and social care.
The right to restrict processing
You have the right to limit the way we use your personal information in certain circumstances. For example, this may occur if:
- you have asked us to amend inaccurate information or
- you feel that your information has been unlawfully processed
The right to data portability
Where we are processing personal data purely in electronic format, there may be circumstances where you can request to have your data transferred (if technically possible) to another individual or organisation of your choice in an electronic format.
The right to object
You have the right to object to the processing of your personal data in certain circumstances:
You can ask us to stop processing your personal data for direct marketing at any time. When we receive an objection to processing for direct marketing we must stop processing your data for this purpose.
You have the right to object to us processing your personal data for our legitimate interests (i.e. our business reasons) however you must give specific reasons to why you are objecting. We may not be able to meet your request depending on the reasons stated.
Automatic decision-making and profiling
Decisions on treatment will be made, by healthcare professionals, on an individual case-by-case basis. We do not use automated decision-making tools or profiling when you provide us with personal information.
Personal data collected when using our website
When you visit our website, we automatically collect the following information:
- Technical information, including the Internet protocol (IP) address used to connect your computer to the internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform
- Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page
We use Google Analytics cookies to collect information about how visitors use our site. Cookies are small files which are stored on a user’s computer, designed to hold a small amount of data specific to a particular user and website. Using cookies allows us to collect information about how visitors use our website.
Google Analytics sets four types of first-party cookies automatically:
These cookies track the number of visitors to our website, how long the website sessions last, and note where the website visitor arrived from. The information collected by these cookies is anonymised and visitors cannot be identified. We will use this information to write reports and make improvements to the website.
You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site
How long do we keep personal data for?
Under data protection legislation personal data must only be processed for as long as it is necessary and not kept for an excessive period of time. The following table provides information on the retention periods for the type of data routinely processed at the Rutherford Cancer Centres. To ensure we can always provide the highest level of care and to ensure that we can monitor outcomes and conditions over a long period of time it is fundamental that certain information about individuals’ health is maintained so that it can be referred to at a later date.
How to contact us
You can contact the Data Protection Officer by writing to us at:
The Data Protection Officer
The Rutherford Cancer Centres Limited
How to complain
If you believe that your information has been unfairly or unlawfully used, you have the right to contact the Information Commissioner’s Office at the address below:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745
This Privacy Notice was updated on 24th May 2018