Privacy Notice Concerning the Processing of Patient Personal Data

1. Introduction

This Notice describes the steps that Cleveland Clinic London Ltd (“CCL”, “we” or “us”), an affiliate of The Cleveland Clinic Foundation (“Cleveland Clinic”), takes to protect the personal data that we process about our patients. As a patient of CCL, we collect, store, use and otherwise process personal data about you for various purposes, as described in this Notice. We are committed to the protection of the personal data that we process about you in line with the data protection principles and requirements set out in the European Union General Data Protection Regulation 2016 (“GDPR”), and GDPR as incorporated into UK law by the European Union (Withdrawal) Act 2018 (“UK GDPR”), and the UK Data Protection Act 2018 (“DPA”).

This Notice applies to all CCL patient data.  We may amend this Notice from time to time and will inform you in advance of the effective date of any material changes that we intend to implement.

Terms defined in the UK GDPR or in Section 12 below shall have the meaning set out therein.

2. Identity of the Data Controller

CCL is responsible for processing your personal data and is the data controller. Our registered office is located at Suite 1, 3rd Floor 11-12 St. James’s Square, London, United Kingdom, SW1Y 4LB.

3. How We Source Your Personal Data

Most of the personal data that we process about you has been provided by you directly to us. CCL may also collect personal data about patients from other third parties including, insurers, other healthcare providers and information exchanges designed to facilitate sharing patient data between healthcare providers.

4. Categories of Personal Data that We Process, Our Purposes for Processing, the Applicable Lawful Bases, and any Special Condition

The categories of personal data that we may process about you and our purposes for doing so are set out in the table below. The table also identifies our lawful basis for the processing and any condition for processing special categories of data or criminal convictions and offenses data.

Categories of Personal Data Purpose of Processing Lawful Basis Special Condition for Special Categories*
Contact Information To communicate with you related to health services, respond to questions and complaints, and to send you additional information about us

Processing is in our legitimate interest

You have provided consent
Not applicable
Health data and personal information collected as part of providing health care

To understand your needs as a prospective patient or ongoing patient and for ongoing management and assessment of a patient’s care

Our performance under a contract with you Processing is necessary for medical diagnosis, the health care or treatment or the management of our healthcare system (Schedule 1, Part 1, paragraph 2 of DPA)
 

To assess your medical condition and provide you with healthcare services and related services (e.g., referrals)

Our performance under a contract with you Processing is necessary for medical diagnosis, the health care or treatment or the management of our healthcare system (Schedule 1, Part 1, paragraph 2 of DPA)
 

To manage our healthcare systems and operations

It is in our legitimate interest to effectively manage our healthcare operations and facilities Processing is necessary for medical diagnosis, the health care or treatment or the management of our healthcare system (Schedule 1, Part 1, paragraph 2 of DPA)
 

For research purposes

It is in our legitimate interest to be engaged in clinical research for purposes of monitoring and improving our services that is in the public interest The processing is necessary for scientific research purposes in accordance with Article 89(1) of UK GDPR  (Schedule 1, Part 1, paragraph 4 of DPA)
 

For communicating with your coverage and receiving payment under applicable insurance policies

Any election to not provide consent for CCL to share health information with an insurer will mean CCL insurers and providing documentation related to will treat you as self-pay.

You have provided consent

It is in our legitimate interest to provide health information necessary for administration related to authorization and claims payment

You have provided consent

Processing is necessary for the management of our healthcare system (Schedule 1, Part 1, paragraph 2 of DPA)
  To share with other third parties at your direction You have provided consent You have provided consent
Family data To contact family of patients in connection with healthcare services

Performance of our contract with you

It is in our legitimate interest to have a family member who can be a contact in certain health situations, including incapacity and death
Processing is necessary for the management of our healthcare system (Schedule 1, Part 1, paragraph 2 of DPA)
Financial information Purposes of receiving payment Performance of our contract with you Not applicable
Any data To provide to regulatory authorities or other organizations when there is a legal obligation Legal obligation

Processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity.

Processing is necessary for legal proceedings, legal advice, related to or defending legal rights (Schedule 1, Part 3, paragraph 33 of DPA)

Any data To maintain backups of information technology systems It is in our legitimate interest to maintain backups of data to minimize potential disruptions to our operations Processing is necessary for the management of our healthcare system (Schedule 1, Part 1, paragraph 2 of DPA)
Copy of your passport To verify your identity Legal obligation Processing is necessary for the management of our healthcare system (Schedule 1, Part 1, paragraph 2 of DPA)
CCTV images To ensure the safety of our premises, patients, and staff Legitimate interest Not applicable
Electronic data on our networks

For purposes of protecting our networks, systems, and data we monitor all our systems for potential cybersecurity threats

Legitimate interest Not applicable

*We may need to process data as necessary in connection with any legal claims or prospective legal claims.  (Schedule 1, Part 3, paragraph 33 of DPA.)

5. Data Sharing: Intra-Group and Third Party Recipients

The purposes for which we share personal data relating to our patients with the Cleveland Clinic, and also with trusted third-party vendors and business partners, are set out below.

a) Intra-group transfers

CCL stores your patient records in an electronic medical record in the United Kingdom. For limited administrative functions and medical diagnostic support, however, we may share your personal data with the Cleveland Clinic for the purposes set out below. Cleveland Clinic personnel who have a need to know your information may access your data for purposes within their job responsibility to fulfil the purposes described in Section 4. These transfers are protected by the obligations set out in intra-group agreements that we have entered into with the Cleveland Clinic. This agreement covers personal data transferred for the following purposes:

  • To perform administrative functions;
  • To support medical diagnostic support;
  • To provide services for the operations of CCL; and
  • For regulatory purposes.

b) Third Party Suppliers

CCL also shares personal data with trusted service providers and business partners pursuant to contractual agreements with them. These agreements will, as necessary, include appropriate technical and organisational safeguards to protect any personal data that we share with them. We may share patient personal data with third parties that perform services and carry out functions on our behalf and under our instruction as a data processor. These third parties include:

  • Credit card processors;
  • IT service providers that manage CCL’s infrastructure; and
  • Hosted service providers related to patient care or administration.

We may also disclose patient personal data to third parties acting as independent data controllers. All of these recipients are themselves responsible to determine the purposes and means of the processing and for the lawfulness of the processing. These third parties include:

  • our auditors, lawyers, consultants, law enforcement and other public authorities (such NHS organisations);
  • the police, prosecutors, courts and tribunals;
  • other healthcare providers; and
  • our regulators including Information Commissioner’s Office, Care Quality Commission, Medicines and Healthcare products Regulatory Agency, and Health and Safety Executive.

6. International Transfers: Intra-Group and Third Party Vendors

a) Intra-Group

CCL transfers patient personal data to the Cleveland Clinic located in the US. The Cleveland Clinic acts as a joint controller in relation to certain administrative functions and medical diagnostic support. The international transfer of patient personal data from CCL to the Cleveland Clinic is governed by EU Commission-approved Standard Contractual Clauses for controllers, taking into account appropriate technical and security safeguards. You may request a copy of the relevant sections of these agreements by contacting us in one of the ways set out in Section 11.

b) Third Party Suppliers

If and when transferring your personal data outside the UK and EEA, we ensure a similar degree of protection is afforded to it by ensuring that appropriate safeguards are implemented.  Where a third party supplier is based outside of the UK and EEA, we will usually achieve this by using one of the following safeguards:

  1. the transfer is to a non-EEA country outside the UK that has been the subject of an adequacy decision; or
  2. the transfer is governed by the EU Commission-approved Standard Contractual Clauses. 

You may request further information, including a copy of the relevant sections of the relevant transfer documentation, by contacting us in one of the ways set out in Section 11.

Your Rights

In any circumstances where we have relied on your consent to process your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.  This will not affect the lawfulness of any processing carried out before you withdrew your consent. You also have the following rights:

  • to obtain access to your personal data - you may request information on how your personal data is handled by us and request a copy of such personal data;
  • to request us to correct or update your personal data if it is inaccurate or out of date;
  • to object to the processing of your personal data for the purposes of our legitimate interests, unless we:
      1. demonstrate compelling legitimate grounds which override your right to object, or
      2. the processing is necessary for the establishment, exercise or defence of legal claims;
  • to erase your personal data held by us:
      1. which are no longer necessary in relation to the purposes for which they were collected,
      2. to the processing of which you object, or
      3. which may have been unlawfully processed by us;
  • to restrict processing by us, i.e. the processing will be limited to storage only:
      1. where you oppose deletion of your personal data and prefer restriction of processing instead, or
      2. where you object to the processing by us on the basis of its legitimate interests; and
  • to transmit personal data you submitted to us back to you or to another organisation in certain circumstances.

These rights are not absolute and are subject to various conditions under:

  • applicable data protection and privacy legislation; and
  • the laws and regulations to which we are subject.

Should you wish to exercise the rights accorded to you by data protection laws as described out above, please contact us at the details in Section 11.  We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You have the right to make a complaint at any time to the UK supervisory authority for data protection issues, for example, if you are not happy with how CCL processes your personal data or we fail to provide you with a satisfactory resolution to your request. The UK supervisory authority is the Information Commissioner's Office (ICO) whose details can be accessed via the ICO website at https://ico.org.uk/global/contact-us/

8. Retention of Personal Data

CCL will keep and process your personal data only for as long as is necessary for the purposes for which it was collected in connection with you being a CCL patient, unless CCL has a legal right or obligation to retain the data for a longer period. View record retention policy.

9. Statutory/Contractual Requirements

In certain cases, you may choose not to provide CCL with your personal data and/or provide incomplete personal data. However, please be aware that we may not be able to engage in or continue a contractual relationship with you where your personal data is required for administrative purposes or otherwise as necessary for us to perform our contract with you, and/or to fulfil our statutory obligations.

10. Automated Decision-Making and Profiling

We will not use your personal data to make decisions based solely on automated decision-making and/or profiling.

11. Contact Information

Questions, comments and requests regarding this Notice may be emailed to [email protected] or sent by post to Suite 11, 3rd Floor, 11-12 St. James’s Square, London, S21Y4LB, Attn: Rik Mannix, Data Protection Officer

12. Definitions

The following terms used within this Notice and defined as follows:
data controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or EU laws or regulations, the controller or the specific criteria for his nomination may be designated by national or EU law.

data processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller.

DPA” means the UK Data Protection Act 2018.

"European Economic Area" or "EEA" means the Member States of the European Union, plus Norway, Iceland and Lichtenstein. 

filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

personal data” means any information relating to an identified or identifiable natural person (also referred to as ‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

process” or “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

special categories of personal data” are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of identifying an individual, data concerning health or data concerning a natural person’s sex life or sexual orientation. 

“supervisory authority” means for the UK GDPR, the Information Commissioner’s Office; and for GDPR, an independent public authority, which is established by a Member State under the GDPR pursuant to article 51 of the GDPR.