Westminster Medical Group is committed to protecting and respecting your privacy and all personal information entrusted to us. We are dedicated to safeguarding all such data and maintaining a system that meets our obligations under the new regulations and as permitted by applicable laws. To this end we fully comply with the General Data Protection Regulation (GDPR) which came into force on 25 May 2018, and any other national implementing laws, regulations and secondary legislation, as amended in the UK (‘Data Protection Laws’).
- PERSONAL DATA WE COLLECT
The personal information we hold about you when you enquire or become WMG patient or customer may include the following:
- Contact details (i.e. email address, postal address, and phone number)
- Date of birth
- Emergency contact details, including next of kin
- Previous medical history
- Background referral details
- Special categories of personal data in accordance with Art. 9 (1) GDPR, which is bound to be handled sensitively (e.g. details of your current or former mental and physical health, previous healthcare received, details of services provided by WMG, details of your nationality, race and/or ethnicity)
- Technical information where you use any of our websites (including IP address, browser type and version, time zone setting, operating system and platform)
- WHY DO WE COLLECT DATA
There is a number of different purposes for which we may store, process and use your information. We process your personal data for the execution of our medical services as well as to exercise or fulfill laws, and to perform contractual obligations arising from any contract entered into between you and WMG. We may use your personal data for example to:
- Provide you with information, products and healthcare services that you request
- Notify you about changes and updates to our products and services
- Respond to requests where we have a legal or regulatory obligation to do so upon request of public authorities
- Establish, exercise or defend our legal laws (i.e. statutory requirements, balance of interest)
- Fulfil taxation control, reporting or documentation requirements
- Ensure that content from any of our websites is presented to you in the most effective manner for you and for your computer or mobile application.
- DATA COLLECTION AND LEGAL BASIS FOR DATA PROCESSING
We collect personal data if you:
- Visit one of our websites or digital and online platforms
- Fill in an online assessment or enquiry form
- Enquire about any of our services through the website
- Register to become a customer or enter into a contract with WMG
- Correspond with us by letter, email, telephone or social media
- Complete a clinic form or questionnaire
- Take part in our promotional or marketing activities
With your prior consent, we may also collect personal information and medical records (including information about your diagnosis, hospital visits and medicines administered) from a number of different sources including hospitals, clinicians, GPs, mental health providers, dentists or directly from you in order to provide you with the best and safest treatment possible.
3.1 Methods of Processing
The data processing is carried out using computers and/or IT enabled tools, following organisational procedures and modes strictly related to the purposes indicated. In addition to the Data Controller, in some cases, the data may be accessible to certain types of persons in charge, involved with the operation of the site (administration, sales, marketing, legal, system administration) or external parties (such as third party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The list of these parties is stated in Clause 5 ‘Disclosure of Data’, and its updated version may be requested from the Data Controller at any time.
3.2 Obtaining Consent
If you have given us your prior consent to the processing of personal data for specific purposes (e.g. photos, video recordings, etc.), the lawfulness of this processing is based on your consent. Processing shall only take place in accordance with the purposes set out in the consent. Consent can be revoked at any time with effect for the future. This also applies to the revocation of declarations of consent issued to us before the validity of the GDPR, respectively before May 25, 2018. The revocation of consent does not affect the legality of the data processed until the revocation.
3.3 Data Retention
In WMG we process and store your personal data as long as it is necessary for the performance of services and/or the fulfilment of our contractual and legal obligations. We have updated our retention policy to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed in accordance with our obligations. Your personal data is only kept for the time reasonably necessary to provide the service requested, or fulfil the relevant purposes outlined in this Private Policy. You can always request that the Data Controller suspend or remove the data, unless statutory retention requirements preclude this. Please see 4.4 ‘The Right to Erasure’ clause below.
The data is processed at the Data Controller’s operating offices and in any other places where the parties involved with the processing are located. For further information, please contact our responsible Data Protection Officer.
- YOUR RIGHTS
The data protection law gives you certain rights in respect of the personal data that we hold about you. These include rights to know what information we hold about you and how it is used.
We provide easy-to-access information in the office of an individual’s right to access any personal information that Westminster Medical Group processes about them and to request information about:
- what personal data we hold about them
- the purposes of the processing
- the categories of personal data concerned
- the recipients to whom the personal data has/will be disclosed
- how long we intend to store your personal data for
- if we did not collect the data directly from them, information about the source
- the right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
- the right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
- the right to lodge a complaint or seek judicial remedy and who to contact in such instances.
4.1 The Right to Access
You are usually entitled to a copy of the personal information we hold about you and details about how we use it. Your information will usually be provided to you in writing unless otherwise requested. If you have made the request electronically, the information will be provided to you by electronic means where possible.
4.2 The Right to Withdraw Consent
In some cases, we may need your consent in order for our use of your personal information to comply with data protection legislation. See Clause 3.2 ‘Obtaining Consent’ above. Where we do this, you have the right to withdraw consent for the processing of your personal data at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
4.3 The Right to Rectification
Our team take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can request WMG to update or amend it. If any of your personal data has changed, especially contact information such as email address, postal address and phone number please get in touch with us so we can ensure your personal data is kept up to date.
4.4 The Right to Erasure
Under Art. 17 GDPR the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay. In some circumstances, you have the right to request that WMG delete the personal information we hold about you. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
You may exercise these rights at any time by contacting our assigned data protection team in writing for the attention of the Data Protection Officer at the address mentioned in Clause 9 ‘The Data Controller’. Please note that we may require you to verify your identity before allowing you to access your personal information.
- DISCLOSURE OF YOUR PERSONAL DATA
Within our company, those entities gain access to your data, which need them to fulfill our contractual, statutory and regulatory obligations as well as to safeguard legitimate interests. In the usual course of our business, Westminster Medical Group may be required to disclose your personal information to a third party organisations, these may include:
- Any healthcare professional involved in your treatment
- Other members of support staff involved in the delivery of your care such as coordinators and receptionists
- Organisations providing IT systems support and hosting in relation to the IT systems on which your information is stored
- Third parties who assist in the administration of your healthcare, such as insurance companies
- Our third party service providers such as auditors, lawyers and tax advisers
- Government bodies, regulators and other third parties where reasonably necessary for the prevention and detection of crime
- Selected business partners, sub-contractors or third parties in connection with any sale, transfer or disposal of our business
- Third party marketing companies for the purpose of sending marketing emails, subject to obtaining appropriate consent
When a third-party data processor is used, WMG will ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under Data Protection Laws.
- SURVEYS, MARKETING AND MEANS OF COMMUNICATION
To ensure that WMG provide you with timely updates and reminders in relation to your treatment or appointment, we may communicate with you via SMS, social platforms and messengers and/or email, in each case where you have expressed a preference within your enquiry to be contacted by phone and/or email. We may use communication to contact you regarding patient satisfaction surveys which are for the purpose of improving our service or monitoring outcomes.
- SAFEGUARDING MEASURES
Westminster Medical Group already has a consistent level of data protection and security across our organisation, but we have introduced new measures to ensure compliancy.
We protect all personal data by ensuring that we have appropriate organisational and technical security measures in place to prevent unlawful processing of personal data and to prevent data being lost, destroyed or damaged. We conduct regular assessments to ensure the ongoing security and update of our information systems.
The transmission of information via the internet cannot be guaranteed as completely secure. However, we ensure that any information transferred to our websites is via an encrypted connection. Once we have received your information, we will use strict procedures and security features for prevention of unauthorised access.
We take security and confidentiality of your personal and medical information very seriously and take every reasonable measure to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and make every effort to prevent any unauthorised access to your sensitive information. In doing so, Westminster Medical Group complies with UK Data Protection Act 2018, and all applicable medical confidentiality guidelines issued by professional bodies including the General Medical Council.
Regarding data transmission to recipients outside of our company, it should be noted that we only transfer your personal information if it is required by law or if you have consented thereto.
- THE DATA CONTROLLER
- CHANGES TO THIS PRIVATE POLICY
Latest update: 10 February 2022.