Protection of Data and Privacy policy

Protection of Patient Data


Patient Data Policy

This privacy policy applies between you, the User of this Website and Maytham Vascular, the owner and provider of this Website. Maytham Vascular takes the privacy of your information very seriously. This privacy policy applies to our use of any and all Data collected by us or provided by you in relation to your use of the Website.

All personal details you provide to us when submitting a contact form or when sending us an email are treated with the strictest of confidence, and will never be shared with third parties for the purpose of marketing.

Maytham Vascular does not use subscription lists of any kind or perform any kind of direct marketing, and we will only use your contact details for responding to you directly when you get in touch with us via any of the methods provided on this website.

Our website uses 2048-bit SSL Encryption to ensure that no personal details you include when submitting a contact form can be read by anyone else.

None of the cookies on our site are used to obtain information that can identify you as an individual, or follow you around when you leave our site.

We use cookies to make our site better, and to improve your experience as a visitor.

Please read this privacy policy carefully.

Patient Data Policy

This privacy policy applies between you, the User of this Website and Maytham Vascular, the owner and provider of this Website. Maytham Vascular takes the privacy of your information very seriously. This privacy policy applies to our use of any and all Data collected by us or provided by you in relation to your use of the Website.

All personal details you provide to us when submitting a contact form or when sending us an email are treated with the strictest of confidence, and will never be shared with third parties for the purpose of marketing.

Maytham Vascular does not use subscription lists of any kind or perform any kind of direct marketing, and we will only use your contact details for responding to you directly when you get in touch with us via any of the methods provided on this website.

Our website uses 2048-bit SSL Encryption to ensure that no personal details you include when submitting a contact form can be read by anyone else.

None of the cookies on our site are used to obtain information that can identify you as an individual, or follow you around when you leave our site.

We use cookies to make our site better, and to improve your experience as a visitor.

Please read this privacy policy carefully.


Definitions and interpretation

In this privacy policy, the following definitions are used:

Data: collectively all information that you submit to Maytham Vascular PLC via the Website. This definition incorporates, where applicable, the definitions provided in the Data Protection Laws;

Cookies: small text file placed on your computer by this Website when you visit certain parts of the Website and/or when you use certain features of the Website. Details of the cookies used by this Website are set out in the clause below (Schedule of Cookies);

Data Protection Laws: any applicable law relating to the processing of personal Data, including but not limited to the Directive 96/46/EC (Data Protection Directive) or the GDPR, and any national implementing laws, regulations and secondary legislation, for as long as the GDPR is effective in the UK;

GDPR: the General Data Protection Regulation (EU) 2016/679;

Maytham Vascular, we or us: Maytham Vascular PLC, a company registered in England and Wales with address: C/o Brayne, Williams & Barnard L, Rosemount House, West Byfleet, Surrey, KT14 6LB

UK and EU Cookie Law: the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011;

User or you: any third party that accesses the Website and is not either (i) employed by Maytham Vascular PLC and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to Maytham Vascular PLC and accessing the Website in connection with the provision of such services; and

Website: the website that you are currently using, www.maythamvascular.co.uk, and any sub-domains of this site unless expressly excluded by their own terms and conditions.

In this privacy policy, unless the context requires a different interpretation:
the singular includes the plural and vice versa;
references to sub-clauses, clauses, schedules or appendices are to sub-clauses, clauses, schedules or appendices of this privacy policy;
a reference to a person includes firms, companies, government entities, trusts and partnerships;
"including" is understood to mean "including without limitation";
reference to any statutory provision includes any modification or amendment of it;
the headings and sub-headings do not form part of this privacy policy, they are simply there as a visual reference to make things easier to find.

Scope of this privacy policy

This privacy policy applies only to the actions of Maytham Vascular and Users with respect to this Website. It does not extend to any websites that can be accessed from this Website including, but not limited to, any links we may provide to social media websites.
For purposes of the applicable Data Protection Laws, Maytham Vascular is the "data controller". This means that Maytham Vascular determines the purposes for which, and the manner in which, your Data is processed.

Data collected

We may collect the following Data, which includes personal Data, from you:
name; contact Information such as email addresses and telephone numbers; web browser type and version (automatically collected);
operating system (automatically collected);

in each case, in accordance with this privacy policy.

How we collect Data

We collect Data in the following ways:
data is given to us by you; and data is collected automatically.

Data that is given to us by you

Maytham Vascular, will collect your Data in a number of ways, for example:
when you contact us through the Website, by telephone, e-mail, contact forms or through any other means;
when you use our services;
in each case, in accordance with this privacy policy.

Data that is collected automatically

To the extent that you access the Website, we will collect your Data automatically, for example:
we automatically collect some information about your visit to the Website. This information helps us to make improvements to the Website content and navigation, and includes the date, times and frequency with which you access the Website and the way you use and interact with its content.
we will collect your Data automatically via cookies, in line with the cookie settings on your browser. For more information about cookies, and how we use them on the Website, see the section below, headed "Cookies"
We make use of certain API keys, in order to provide specific features. These API keys may include the following third party services:
Google Maps
Google reCaptcha

Our use of Data

Any or all of the above Data may be required by us from time to time in order to provide you with the best possible service and experience when using our Website. Specifically, Data may be used by us for the following reasons:
internal record keeping;
improvement of our products / services;
to respond to you when you contact us through any of the methods as outlined in the section titled "Data that is given to us by you";

in each case, in accordance with this privacy policy.
We may use your Data for the above purposes if we deem it necessary to do so for our legitimate interests. If you are not satisfied with this, you have the right to object in certain circumstances (see the section headed "Your rights" below).

Who we share Data with

We may share your Data with the following groups of people for the following reasons:
any of our group companies or affiliates - to ensure the proper administration of our website and business;
our employees, agents and/or professional advisors - to obtain advice from professional advisers, and to allow us to answer the questions you may have submitted through our contact form;
relevant authorities - to facilitate the detection of crime or the collection of taxes or duties;

in each case, in accordance with this privacy policy.

Keeping Data secure

We will use technical and organisational measures to safeguard your Data, for example:
contact forms are protected by industry standard encryption.
we store your Data on secure servers.
Technical and organisational measures include measures to deal with any suspected data breach. If you suspect any misuse or loss or unauthorised access to your Data, please let us know immediately by contacting us via this e-mail address: enquiries@maythamvascular.co.uk.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.

Data retention

Unless a longer retention period is required or permitted by law, we will only hold your Data on our systems for the period necessary to fulfil the purposes outlined in this privacy policy or until you request that the Data be deleted.
Even if we delete your Data, it may persist on backup or archival media for legal, tax or regulatory purposes.

Your rights

You have the following rights in relation to your Data:
Right to access - the right to request (i) copies of the information we hold about you at any time, or (ii) that we modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this, unless your request is "manifestly unfounded or excessive." Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will tell you the reasons why.
Right to correct - the right to have your Data rectified if it is inaccurate or incomplete.
Right to erase - the right to request that we delete or remove your Data from our systems.
Right to restrict our use of your Data - the right to "block" us from using your Data or limit the way in which we can use it.
Right to data portability - the right to request that we move, copy or transfer your Data.
Right to object - the right to object to our use of your Data including where we use it for our legitimate interests.
To make enquiries, exercise any of your rights set out above, or withdraw your consent to the processing of your Data (where consent is our legal basis for processing your Data), please contact us via this e-mail address: enquiries@maythamvascular.co.uk.
If you are not satisfied with the way a complaint you make in relation to your Data is handled by us, you may be able to refer your complaint to the relevant data protection authority. For the UK, this is the Information Commissioner's Office (ICO). The ICO's contact details can be found on their website at https://ico.org.uk/.
It is important that the Data we hold about you is accurate and current. Please keep us informed if your Data changes during the period for which we hold it.

Transfers outside the European Economic Area

Data which we collect from you may be stored and processed in and transferred to countries outside of the European Economic Area (EEA). For example, this could occur if our servers are located in a country outside the EEA or one of our service providers is situated in a country outside the EEA.
We will only transfer Data outside the EEA where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data, eg by way of data transfer agreement, incorporating the current standard contractual clauses adopted by the European Commission, or by signing up to the EU-US Privacy Shield Framework, in the event that the organisation in receipt of the Data is based in the United States of America.
To ensure that your Data receives an adequate level of protection, we have put in place appropriate safeguards and procedures with the third parties we share your Data with. This ensures your Data is treated by those third parties in a way that is consistent with the Data Protection Laws.

Links to other websites

This Website may provide links to other websites. We have no control over such websites and are not responsible for the content of these websites. This privacy policy does not extend to your use of such websites. You are advised to read the privacy policy or statement of other websites prior to using them.

Cookies

This Website may place and access certain Cookies on your computer. Maytham Vascular uses Cookies to improve your experience of using the Website. We have carefully chosen which Cookies are appropriate and have taken steps to ensure that your privacy is protected and respected at all times.
All Cookies used by this Website are used in accordance with current UK and EU Cookie Law.
This Website may place the following Cookies:
TYPE OF COOKIE PURPOSE
Necessary Cookies These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
Analytics Cookies They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
Functionality Cookies These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
You can find a list of Cookies that we use in the Schedule of Cookies
You can choose to enable or disable Cookies in your internet browser. By default, most internet browsers accept Cookies but this can be changed. For further details, please consult the help menu in your internet browser.
You can choose to delete Cookies at any time; however you may lose any information that enables you to access the Website more quickly and efficiently including, but not limited to, personalisation settings.
It is recommended that you ensure that your internet browser is up-to-date and that you consult the help and guidance provided by the developer of your internet browser if you are unsure about adjusting your privacy settings.
For more information generally on cookies, including how to disable them, please refer to aboutcookies.org. You will also find details on how to delete cookies from your computer.

General

You may not transfer any of your rights under this privacy policy to any other person. We may transfer our rights under this privacy policy where we reasonably believe your rights will not be affected.
If any court or competent authority finds that any provision of this privacy policy (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this privacy policy will not be affected.
Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
This Agreement will be governed by and interpreted according to the law of England and Wales. All disputes arising under the Agreement will be subject to the exclusive jurisdiction of the English and Welsh courts.

Changes to this privacy policy

Maytham Vascular reserves the right to change this privacy policy as we may deem necessary from time to time or as may be required by law. Any changes will be immediately posted on the Website and you are deemed to have accepted the terms of the privacy policy on your first use of the Website following the alterations. You may contact Maytham Vascular by email at enquiries@maythamvascular.co.uk.

Schedule of Cookies

Below is a list of the cookies that we use. We have tried to ensure this is complete and up to date, but if you think that we have missed a cookie or there is any discrepancy, please let us know.
Strictly Necessary Cookies

We use the following strictly necessary cookies:
COOKIE NAME DATA STORED WHEN DOES IT EXPIRE? DESCRIPTION
wordpress_test_cookie WP+Cookie+check Session Cookie, deleted when browser is closed WordPress sets this cookie when you navigate to the login page. The cookie is used to check whether your web browser is set to allow, or reject cookies.
wp-postpass_ WP+Cookie+check Temporary Cookie, expires after 10 days WordPress sets this cookie after you have correctly entered the password to access password protected content. If the cookie is not present the content is not available.
Analytical/Performance Cookies

We use the following analytical/performance cookies:
COOKIE NAME DATA STORED WHEN DOES IT EXPIRE? DESCRIPTION
_ga A random string of letters and numbers By default it is set to expire after 2 years, although this is customisable by website owners. This cookie name is associated with Google Universal Analytics . This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. It can not be used to identify you.
_gat A random string of letters and numbers 1 minute This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It can not be used to identify you.
_gid A random string of letters and numbers 24 hours This cookie name is associated with Google Universal Analytics. It appears to store and update a unique value for each page visited by a user. It is not used to identify you.
Functionality Cookies

We use the following functionality cookies:
COOKIE NAME DATA STORED WHEN DOES IT EXPIRE? DESCRIPTION
wordpress_logged_in_xxxxx Your login details in an encrypted form Session Cookie, deleted when browser is closed WordPress uses this cookie to indicate when you're logged in, and who you are.
Closing Note

We do not use any personal information provided to us for any purpose other than providing a service to our visitors, and we have your best interests at heart. We do not sell your information to third parties, and we take every reasonable measure to ensure that all information that may be of a personal nature is securely stored.

If you ever have concerns, please get in touch immediately so that we can address them.

Protection of patient privacy

Executive summary
1. As your treating clinician and therefore custodian of personal information relating to your medical treatment,
I must only use that information in accordance with all applicable law and guidance. This Privacy Notice
provides you with a detailed overview of how I will manage your data from the point at which it is gathered
and onwards, and how that complies with the law. I will use your personal information for a variety of
purposes including, but not limited to, providing you with care and treatment, sharing it with other medical
professionals and clinical audit programmes.

2. In addition, you have a number of rights as a data subject. You can, for instance, seek access to your medical
information, object to me using your information in particular ways, request rectification of any information
which is inaccurate or deletion of information which is no longer required (subject to certain exceptions). This
Privacy Notice also sets out your rights in respect of your personal information, and how to exercise them.

3. For ease of reference, this Notice is broken into separate sections below with headings which will help you to
navigate through the document.



SM3 9DW RH6 0BB KT21 2SB CR3 6DP
INTRODUCTION
1. This Privacy Notice sets out details of the information that I, as a clinician responsible for your treatment (and
including my medical secretaries), may collect from you and how that information may be used. Please take
your time to read this Privacy Notice carefully.

ABOUT ME
2. In this Privacy Notice I use "I" or "mine" or "my" to refer to me as the clinician who is using your personal
information.

3. If you have any queries, comments or concerns in respect of the way I have used, or potentially will use, your
personal information then you should contact me directly and I will be happy to discuss it further.
YOUR PERSONAL DATA

4. I am a Data Controller in respect of your personal information which I hold about you. This will mainly relate
to your medical treatment, but will be likely to also include other information such as financial data in relation
to billing. I must comply with the data protection legislation and relevant guidance when handling your
personal information, and so must any medical secretary who assists me in an administrative capacity. Your
personal data may include any images taken in relation to your treatment which must not only be managed in
accordance with the law, this Privacy Notice but also all applicable professional standards including guidance
from the General Medical Council and British Medical Association.

5. I will provide your treatment from various private medical providers and, in due course, it may be necessary
for these providers to also process your personal data. I will do so in accordance with the law, the principles
of this Privacy Notice and to the extent that it is necessary to do so. This could be where the private medical
providers need to arrange other healthcare services as part of your treatment, such as nursing or dietician
advice, or support other aspects of the treatment which I provide to you. In that case, the private medical
provider involved will become a joint Data Controller in respect of your personal information and you will be
provided with a copy of their Privacy Notice which sets out how they will manage that information.

6. Your personal information will be handled in accordance with the principles set out within this Privacy Notice.
This means that whenever I use your personal data, I will only do so as set out in this Privacy Notice. From
time to time, I may process your personal information outside of a medical provider site, as may my medical
secretary.

WHAT PERSONAL INFORMATION DO I COLLECT AND USE FROM PATIENTS?
7. I will use "special categories of personal information" (previously known as "sensitive personal data") about
you, such as information relating to your physical and mental health.

8. If you provide personal information to me about other individuals (including medical or financial information)
you should inform the individual about the contents of this Privacy Notice. I will also process such information
in accordance with this Privacy Notice.

9. In addition, you should note that in the event you amend data which I already hold about you (for instance by
amending a pre-populated form) then I will update our systems to reflect the amendments. Our systems will
continue to store historical data.
PERSONAL INFORMATION
10. As one of my patients, the personal information I hold about you may include the following:
a) Name
b) Contact details, such as postal address, email address and telephone number (including mobile number)
c) Financial information, such as insurance policy details
d) Occupation
e) Emergency contact details, including next of kin
f) Background referral details
SPECIAL CATEGORIES PERSONAL INFORMATION
11. As one of my patients, I will hold information relating to your medical treatment which is known as a special
category of personal data under the law, meaning that it must be handled even more sensitively. This may
include the following:
a) Details of your current or former physical or mental health, including information about any healthcare
you have received from other healthcare providers such as GPs, dentists or hospitals (private and/or
NHS), which may include details of clinic and hospital visits, as well as medicines administered. I will
provide further details below on the manner in which I handle such information.
b) Details of services you have received from me
c) Details of your nationality, race and/or ethnicity
d) Details of your religion
e) Details of any genetic data or biometric data relating to you
f) Data concerning your sex life and/or sexual orientation
12. The confidentiality of your medical information is important to me, and I make every effort to prevent
unauthorised access to and use of information relating to your current or former physical and mental health
(or indeed any of your personal information more generally). In doing so, I will comply with UK data
protection law, including the Data Protection Act 2018 and all applicable medical confidentiality guidelines
issued by professional bodies including, but not limited to, the General Medical Council and the Nursing and
Midwifery Council.

13. From 25 May 2018, the current Data Protection Act will be replaced by the EU General Data Protection
Regulation (GDPR) and a new Data Protection Act. All uses of your information will comply with the GDPR and
the new Data Protection Act from that date onwards.
HOW DO I COLLECT YOUR INFORMATION?
14. I may collect personal information from a number of different sources including, but not limited to:
a) GPs
b) Dentists
c) Other hospitals, both NHS and private (including Spire/other independent provider)
d) Mental health providers
e) Commissioners of healthcare services
f) Other clinicians (including their medical secretaries)
DIRECTLY FROM YOU
15. Information may be collected directly from you when:
a) You enter into a contract with me or a private medical provider for the provision of healthcare services
b) You use those services
c) You complete enquiry forms on the private medical provider's or this website
d) You submit a query to me including by email or by social media
e) You correspond with me by letter, email, telephone or social media.
FROM OTHER HEALTHCARE ORGANISATIONS
16. My patients will usually receive healthcare from other organisations, and so in order to provide you with the
best treatment possible I may have to collect personal information about you from them. These may include:
a) Medical records from your GP
b) Medical records from other clinicians (including their medical secretaries)
c) Medical records from your dentist
d) Medical records from the NHS or any private healthcare organisation

17. Medical records include information about your diagnosis, clinic and hospital visits and medicines
administered.
FROM THIRD PARTIES
18. As detailed in the previous section, it is often necessary to seek information from other healthcare
organisations. I may also collect information about you from third parties when:
a) You are referred to me for the provision of services including healthcare services
b) I liaise with your health professional or other treatment or benefit provider
c) I liaise with your family
d) I liaise with your insurance policy provider
e) I deal with experts (including medical experts) and other service providers about services you have
received or are receiving from me
f) I deal with NHS health service bodies about services you have received or are receiving from us
g) I liaise with debt collection agencies
HOW WILL I COMMUNICATE WITH YOU?
19. I may communicate with you in a range of ways, including by telephone, SMS, email, and / or post. If I contact
you using the telephone number(s) which you have provided (landline and/or mobile), and you are not
available which results in the call being directed to a voicemail and/or answering service, I may leave a voice
message on your voicemail and/or answering service as appropriate, and including only sufficient basic details
to enable you to identify who the call is from, very limited detail as to the reason for the call and how to call
me back.

20. However:
a) to ensure that I provide you with timely updates and reminders in relation to your healthcare
(including basic administration information and appointment information (including reminders)), I
may communicate with you by SMS and/or unencrypted email (where you have provided me with
your SMS or email address)
b) to provide you with your medical information (including test results and other clinical updates)
and/or invoicing information, I may communicate with you by email (which will be encrypted) where
you have provided me with your email address. The first time I send you any important encrypted
email that I am not also sending by post or which requires action to be taken, I will endeavour to
contact you separately to ensure that you are able to access the encrypted email you are sent.


21. preference to be communicated by a particular method will be taken as an affirmative confirmation that you
are happy for us to contact you in that manner, I am not relying on your consent to process your personal
data in order to correspond with you about your treatment. As set out further below, processing your
personal data for those purposes is justified on the basis that it is necessary to provide you with healthcare
service.
WHAT ARE THE PURPOSES FOR WHICH YOUR INFORMATION IS USED?
22. I may 'process' your information for a number of different purposes, which is essentially the language used by
the law to mean using your data. Each time I use your data I must have a legal justification to do so. The
particular justification will depend on the purpose of the proposed use of your data. When the information
that we process is classed as a "special category of personal information", I must have a specific additional
legal justification in order to use it as proposed.

23. Generally, I will rely on the following legal justifications, or 'grounds':
a) Taking steps at your request so that you can enter into a contract with me to receive healthcare
services from us.
b) For the purposes of providing you with healthcare pursuant to a contract between you and me. I will
rely on this for activities such as supporting your medical treatment or care and other benefits,
supporting your nurse, carer or other healthcare professional and providing other services to you.
c) I have an appropriate business need to process your personal information and such business need
does not cause harm to you. I will rely on this for activities such as quality assurance, maintaining my
business records, monitoring outcomes and responding to any complaints.
d) I have a legal or regulatory obligation to use such personal information.
e) I need to use such personal information to establish, exercise or defend my legal rights.
f) You have provided your consent to my use of your personal information.
24. Note that failure to provide your information further to a contractual requirement with me may mean that I
am unable to set you up as a patient or facilitate the provision of your healthcare.

25. I provide further detail on these grounds in the sections following.

APPROPRIATE BUSINESS NEEDS
One legal ground for processing personal data is where I do so in pursuit of legitimate interests
and those interests are not overridden by your privacy rights. Where I refer to use for my
appropriate business needs, I am are relying on this legal ground.
THE RIGHT TO OBJECT TO OTHER USES OF YOUR PERSONAL DATA
26. You have a range of rights in respect of your personal data, as set out in detail below. This includes the right
to object to me using your personal information in a particular way (such as sharing that information with
third parties), and I must stop using it in that way unless specific exceptions apply. This includes, for example,
if it is necessary to defend a legal claim brought against me, or it is otherwise necessary for the purposes of
your ongoing treatment.
LEGAL
You will find details of my legal grounds for each of our processing purposes below. I have set out individually
those purposes for which I will use your personal information, and under each one I set out the legal
justifications, or grounds, which allow me to do so. You will note that I have set out a legal ground, as well as
an 'additional' legal ground for special categories of personal information. This is because I have to
demonstrate additional legal grounds where using information which relates to a person's healthcare, as I will
be the majority of the times I use your personal information.
Purpose 1: To set you up as my patient, including carrying out fraud, credit, anti-
money laundering and other regulatory checks
27. As is common with most business, I have to carry out necessary checks in order for you to become a patient.
These include standard background checks, which I cannot perform without using your personal information.

28. Legal ground: Taking the necessary steps so that you can enter into a contract with me for the delivery of
healthcare.

29. Additional legal ground for special categories of personal information: The use is necessary for reasons of
substantial public interest, and it is also in my legitimate interests to do so.


Purpose 2: To provide you with healthcare and related services
30. Clearly, the reason you come to me is to provide you with healthcare, and so I have to use your personal
information for that purpose.

31. Legal grounds:
a) Providing you with healthcare and related services
b) Fulfilling my contract with you for the delivery of healthcare

32. Additional legal grounds for special categories of personal information:
a) I need to use the data in order to provide healthcare services to you
b) The use is necessary to protect your vital interests where you are physically or legally incapable of
giving consent
Purpose 3: For account settlement purposes
33. I will use your personal information in order to ensure that your account and billing is fully accurate and up-
to-date

34. Legal grounds:
a) My providing you healthcare and other related services
b) Fulfilling my contract with you for the delivery of healthcare
c) My having an appropriate business need to use your information which does not overly prejudice you
d) Your consent

35. Additional legal grounds for special categories of personal information:
a) I need to use the data in order to provide healthcare services to you
b) The use is necessary in order for me to establish, exercise or defend my legal rights
c) Your consent

Purpose 4: For medical audit/research purposes
Clinical audit
36. I may process your personal data for the purposes of local clinical audit - i.e. an audit carried out by myself or
my direct team for the purposes of assessing outcomes for patients and identifying improvements which
could be made for the future. I am able to do so on the basis of my legitimate interest and the public interest
in statistical and scientific research, and with appropriate safeguards in place. You are, however, entitled to
object to my using your personal data for this purpose, and as a result of which I would need to stop doing so.
If you would like to raise such an objection, then please contact me using the details provided in paragraph 3
above.

37. I may also be asked to share information with U.K. registries for which ethical approval is not necessarily
required but which form part of the National Clinical Audit programme, hosted by NHS England and who
provide a list of National Clinical Audit and Clinical Outcome Review programmes and other quality
improvement programmes which we should prioritise for participation. I may do so without your consent
provided that the particular audit registry has received statutory approval, or where the information will be
provided in a purely anonymous form, otherwise your consent will be needed and either I will seek this from
you or the registry themselves will do so. The registries which I regularly share data with are the National
Vascular Registry.
MEDICAL RESEARCH
38. I may also be asked to participate in medical research and share data with ethically approved third party
research organisations.

39. I will share your personal data only to the extent that it is necessary to do so in assisting research and as
permitted by law. Some research projects will have received statutory approval such that consent may not be
required in order to use your personal data. In those circumstances, your personal will be shared on the basis
that:
Legal grounds:
a) I have a legitimate interest in helping with medical research and have put appropriate safeguards in
place to protect your privacy

Additional legal grounds for special categories of personal information:
b) The processing is necessary in the public interest for statistical and scientific research purposes

40. In the event that consent is required then either I will seek this from you, or the research agency will do so.
Purpose 5: Communicating with you and resolving any queries or complaints that you
might have.
41. From time to time, patients may raise queries, or even complaints, with me and the private medical providers
and I take those communications very seriously. It is important that I am able to resolve such matters fully
and properly and so I, as well as the private medical providers will need to use your personal information in
order to do so.
42. Legal grounds:
a) Providing you with healthcare and other related services
b) Having an appropriate business need to use your information which does not overly prejudice you

43. Additional legal grounds for special categories of personal information:
a) The use is necessary for the provision of healthcare or treatment pursuant to a contract with a health
professional
b) The use is necessary in order for me to establish, exercise or defend my legal rights

Purpose 6: Communicating with any other individual that you ask us to update about
your care and updating other healthcare professionals about your care.
44. In addition, other healthcare professionals or organisations may need to know about your treatment in order
for them to provide you with safe and effective care, and so I may need to share your personal information
with them. Further details on the third parties who may need access to your information is set out at section
[TBC] below.

45. Legal grounds:
a) Providing you with healthcare and other related services
b) I have a legitimate interest in ensuring that other healthcare professionals who are routinely involved
in your care have a full picture of your treatment

46. Additional legal ground for special categories of personal information:
a) I need to use the data in order to provide healthcare services to you
b) The use is necessary for reasons of substantial public interest under UK law
c) The use is necessary in order for me to establish, exercise or defend my legal rights