This document is designed to help you understand why and how we use your personal data. By personal data we mean information that relates to a living individual and which can identify or be identified with that individual.
We are The Menopause Specialists Limited, a company with number 13986893 and registered office at Home Close, Grayswood, Haslemere, GU27 2DE
• emailing us at firstname.lastname@example.org
• writing to us at Home Close, Grayswood Road, Haslemere, GU27 2E
What personal data do we collect from you? In delivering our services, we may collect and use the following personal data about you:
• your name and contact information,
including email address and telephone number;
• your residential address;
• your date of birth;
• your gender, if you choose to give this to us;
• emergency contact details;
• your GP’s name and address;
• your medical history and information about your health as completed by you in our Medical History Questionnaire and Menopause Symptom Questionnaire. This may include details of medical conditions, medication, weight, lifestyle and other information that might be relevant to your health such as race, ethnicity, sex life or sexual orientation;
• your billing information, transaction and payment card information;
• your contact history with us; and
• information about how you use our website, IT, communication and other systems.
We collect and use this personal data to provide services to you. If you do not provide personal data we ask for, it may delay or prevent us from providing services to you. How is your personal data collected?
We collect most of this personal data directly from you—in person, by telephone, text or email and/or via our website and questionnaires.
However, we may also collect information:
• from a third party with your consent, e.g. your GP;
How and why we use your personal data
Generally, we will use your personal data to register you as a patient, administer the provision of services to you, manage our relationship with you and to improve the level of services that we offer. Under data protection law, we can only use your personal data if we have a proper reason, eg:
• where you have given consent;
• to comply with our legal and regulatory obligations;
• for the performance of a contract with you or to take steps at your request before entering into a contract; or
• for our legitimate interests or those of a third party.
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own. The table below explains what we use your personal data for and why.
How and why we collect special category personal data
In providing our services to you we will be required to collect more sensitive personal data from you, to which additional protections apply under data protection law and may include:
• information relating to your health, including details of medical conditions, medication, weight and lifestyle;
• information revealing your racial or ethnic origin; and
• information on your sex life or sexual orientation or religious or philosophical belief that may be relevant to your health;
The legal basis for us processing such special category personal data is for the purposes of offering you healthcare, treatment and the management of our healthcare systems and services. This includes for the purposes of preventative medicine and giving you medical diagnoses. When you first register for our services and at various points after that we will ask you to provide health data and complete questionnaires about your health and wellbeing. This includes questions about your symptoms, medication and health background. Our legal basis for processing this data is your consent, which you can withdraw at any time by notifying us using the contact details contained in the “Your rights and how to exercise them” below.
As the data involved relates to your health, we shall ensure that any such consent obtained is explicit consent. Please note that without your consent to do this, we will be unable to offer you access to our clinic and services. This is because your health data is necessary for us to provide the support and information.
Who do we share personal data with?
Internally, we only grant access to personal data (including special category personal data) to those people that need access to that data to carry out their role. Externally, we may share from time to time personal data (including special category personal data) with the following categories of recipients, but subject always to due respect for your privacy:
• our service providers, for instance: the companies that manage our IT infrastructure;
▪ companies that provide us with cloud based IT systems;
▪ external companies providing services to us such as blood testing and analysis of tissue samples; and ▪ our external advisors, for instance IT consultants, accountants and lawyers,
• your GP and other medical practitioners or healthcare professionals involved in your care or treatment, only where we have been given express permission to do so or we have cause to believe that you are a danger to yourself or others;
• our regulators, law enforcement, intelligence services and other government authorities, where they require us to do so; and
• potential buyers of or investors in our business where necessary in connection with a due diligence exercise. Where we share personal data (including special category personal data) externally we will always ensure that the recipient is committed contractually to only use personal data in compliance with our instructions and data protection law. How long will your data be kept? We will keep your personal data while we are providing services to you. Thereafter, we will keep your personal data for as long as is necessary:
• to respond to any questions, complaints or claims made by you or on your behalf;
• to show that we treated you fairly; and
• to keep records required by law.
We will not keep your personal data for longer than necessary. Different retention periods apply for different types of personal data, for example we are obliged to keep health data for a period of 8 (eight) years after the date on which we stop providing services to you. When it is no longer necessary to keep your personal data, we will delete or anonymise it.
Transfers of personal data outside of the United Kingdom
The UK has differing data protection laws than other countries, some of which may provide lower levels of protection of privacy. We generally store and process personal data inside the UK. However, it is sometimes necessary for us to share your personal data to countries outside the UK for example where the third parties who assist us in providing the services (suppliers) are outside of the UK. In those cases we will comply with applicable UK laws designed to ensure the privacy of your personal data. Where suppliers share data outside of the UK, we require our suppliers to do so in compliance with UK data protection laws, typically requiring them to enter into standard contractual clauses approved by the United Kingdom as providing equivalent protection to what would be in place had the personal data remained in the UK.
We can provide more information on the countries outside of the UK to which we transfer your personal data on request. Keeping your personal data secure We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We continually test our systems and follow ISO 27001 good practice principles, which means we strive to follow top industry standards for information security. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Your rights and how to exercise them
The law gives you certain rights in respect of the personal data that we hold about you. Below is a short overview of those rights (for more information about the rights you have in respect of your personal data please visit the Information Commissioner’s Office website: www.ico.org.uk).
• Access With some exceptions designed to protect the rights of others, you have the right to a copy of the personal data that we hold about you. Access to the personal data we hold on you is free of charge however, we may make a reasonable charge for additional copies of that data beyond the first copy, based on our administrative costs. Where you have given us your personal data (i.e. you have completed the medical questionnaire), you may have the right to receive your copy of this data in a common electronic format. If you wish, we can provide copies of this data to other people, if it is technically feasible to do so.
• Correction You have the right to have the personal data we hold about you corrected if it is factually inaccurate. This right does not extend to matters of opinion.
• Deletion In some limited circumstances, you have the right to have personal data that we hold about you erased (“the right to be forgotten”). This right is not generally available where we still have a valid legal reason to keep the data (for example, in connection with a legal claim or because we are obliged to do so by law).
• Objection You have the right to object to our processing of your personal data where we rely on “legitimate interests” as our legal basis for processing, but we may be able to continue processing if our interest outweighs your objection.
• Opting out of marketing
You have the right to require us to stop using your personal data to send you marketing information. If you want us to stop sending you marketing information, the quickest and most efficient way is to use the provided “unsubscribe” links in our communications (although you can contact us direct on the details below if you prefer).
• Temporary Restriction You also have the right in some circumstances to request that temporary restrictions are placed on how we process your personal data, For example if you contest its accuracy or where we are processing it on the basis of our legitimate interest and you contest our assessment that our interest overrides your rights.
• Withdrawing Consent If we are processing your personal data on the basis of your consent, you have the right to withdraw that consent at any time, in which case we will stop that processing unless we have another legal basis on which to continue.
Please be advised that in certain circumstances withdrawal of consent to continue processing your personal data may have further impact on your future access to, or benefit from, the service or part of the service. To exercise any of your rights you can:
Please note that in order to protect your privacy, we may ask you to prove your identity before we take any steps in response to a request you have made. We treat the protection of your personal data with the utmost importance but if you have cause to complain, we would always ask that you contact us first so we can attempt to resolve the matter for you.
However, you also have the right to lodge a complaint about our handling of your personal data with the Information Commissioner’s Office. You can contact them on 0303 123 1113 or via their website www.ico.org.uk/make-a-complaint Changes to this policy