Who has information about me?
Circle Health, the independent hospital group, acquired BMI Healthcare in the year 2020 in a deal to deliver a new generation of best-in-class hospitals. Our hospitals are run by Circle Health Group (CHG). Some of our hospitals (BMI Southend Private Hospital, BMI Three Shires Hospital and BMI Syon Clinic) and some of the services in some of our hospitals (the oncology service at BMI Beardwood Hospital and some imaging services at BMI Mount Alvernia Hospital and BMI Three Shires Hospital) are owned by partner companies, each of which has a management contract with BMI Healthcare and forms part of the Circle Health Group. A partner company also owns the CT and MRI scanners at BMI The Meriden Hospital; this service is managed by UME.
All these companies are registered at Circle Health Group, 1st Floor, 30 Cannon Street, London EC4M 6XH and their full names and registered company numbers are as follows:
- Circle Health Group Limited – 02164270
- Three Shires Hospital LLP – OC398963
- BMI Southend Private Hospital Limited – 05155289
- BMI Syon Clinic Limited – 05706302
- North West Cancer Clinic Limited (05706220) - BMI Beardwood Hospital oncology service
- BMI Imaging Clinic Limited (05706274) - imaging service at BMI Mount Alvernia Hospital
- The Pavilion Clinic Limited (06061941) – imaging service at BMI Three Shires Hospital
- Meriden Hospital Advanced Imaging Centre Limited (05607465) – MRI and CT service at BMI The Meriden Hospital
- CHG Management Services Limited- 05042771
- Circle Decontamination Limited- 06003075
Each of these companies may, to the extent relevant, collect, retain and use information about you and we refer to these collectively as ‘Circle Health Group’ in this document.
We may from time to time include on our websites, links to and from the websites of other organisations. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies and notices before you submit any personal data to these websites.
Where did you get this information from and what information does Circle Health Group (CHG) hold about me?
We have information about you which you and others involved in your care and treatment (or their secretaries) or who are paying for your care and treatment have supplied to us.This is likely to include your name and contact details (postal and email addresses and phone numbers) as well as emergency contact details, including your next of kin. For our health assessment clients who come to us through their employer’s health assessment benefit scheme, we have information about you which your employer has supplied to us. This is likely to include your name and contact details (postal and email addresses and phone numbers).
We may also hold more sensitive information about you, such as your current or previous physical or mental health, your sex life and/or sexual orientation, your religion, nationality, race and/or ethnicity and genetic or biometric data relating to you. This may also include details of healthcare services provided previously by CHG and others such as GPs, dentists or hospitals, previous hospital visits and details of any medications you have been prescribed or taken. We refer to this as ‘more sensitive information’ in this Privacy Notice.
We may collect information from you when you visit our websites or enquire about our products or services. We may hold information about you contained in enquiry or booking forms, including through our 'make an enquiry' or 'Live Support' sections of our websites. In addition, we may hold information about you that you provide in surveys or in feedback or from transactions you carry out on our websites or online payments you make.
If you call our central helplines (such as the National Enquiry Centre or the Circle Business Service), or engage with our live support via our website, your communication may be recorded and retained for a limited period for training and monitoring purposes and to help improve our services. We do not record telephone calls to our hospitals.
Sometimes we obtain information about you from credit reference agencies, debt collection agencies and government agencies such as HMRC or the Home Office.
In order for us to provide your health assessment, care and/or treatment, we ask that you provide as much information to us as you can. You are of course free not to disclose information to us and you should only provide such information as you feel comfortable doing so. Please bear in mind, however, that if you are only willing to share limited information, we may not be able to provide you with a full health assessment or the full range of care and treatment (as applicable), and that could mean being unable to see you at the hospital (since we may not be able to share your information in the way required in order to provide your health assessment, care or treatment, or run our business (for example, billing) and comply with our legal obligations).
How will Circle Health Group use the information it holds about me?
We use information about you in connection with your health assessment, treatment and/or care, including tests or assessments and medical examinations. We will use this also in connection with payment of fees, including billing, invoicing and settlement of your account with us.
We may use your phone number, postal address (or email address where you have provided it to us) to contact you in advance of and after your admission or appointment for reasons connected with your health assessment, care or treatment. Where you have provided us with your mobile number or email address, we may send you confirmations/reminders of your appointments via text message, your postal or provided email address and we may respond to your email enquiries via email.
We may also use information about you for quality assurance, maintaining our business records, developing and improving our products and services and monitoring outcomes where we believe there is a business need to do so and our use of information about you does not cause harm to you. This may include our workforce planning and workload management systems to help support our staff and clinicians to develop and plan the most appropriate levels of care to our patients and to ensure we have got the right levels of productivity and efficiency and good outcomes for patients.
We may also use information about you where there is a legal or regulatory obligation on us to do so (such as the prevention of fraud) or in connection with legal proceedings. If considered necessary, we may use information about you where it is in the legitimate interest of the organisation. Where this occurs, we would balance your interest against that of the organisation.
We may also use information about you where you have provided your consent to us doing so.
Please see also the more detailed information in the section below.
Will Circle Health Group share information about me with others?
Yes; we set out these reasons below and assure you that in each case, we share only such information as is appropriate.
Sharing information with those involved in your health assessment, care or treatment (or with those who are paying for your care or treatment)
We will share your medical information with those involved in your health assessment, care or treatment (such as doctors, nurses and physiotherapists) for medical purposes (including the provision of health assessments). Some of our nursing staff and the resident doctors in our hospitals are provided by specialist staffing agencies. Consultants (such as surgeons, anaesthetists and radiologists) and some of their medical secretaries are also not employed by us.
We will share information about you with other members of staff involved in the delivery of your care (such as our housekeeping teams, medical secretaries, receptionists, and porters).
Some of those involved with your health assessment, treatment or care are external companies providing services such as blood tests and blood for transfusions, analysis of tissue samples, such as biopsies, and catering; including for specialist medical devices, bespoke prostheses and certain genomic testing. We work with some specialist companies that are based outside of the United Kingdom. Local NHS hospitals provide some of our hospitals with support services (such as blood tests and housekeeping) and we may share information about you with these hospitals where required in connection with your care.
We may also share relevant parts of your medical information with your General Practitioner (GP), Dentist, NHS hospitals, other private hospitals and the organisation paying for your treatment (for example your insurance company, embassy, employer or NHS commissioner). For our health assessment clients who come to us through their employer’s health assessment benefit scheme, please be assured that we will not share your medical information with your employer.
If we are concerned that you may be vulnerable or ‘at risk’, we may share information about you with the local Safeguarding Team, the specialist members of which come from the local authority, NHS organisations and the police.
We may share information about you with anyone you have asked us to communicate with or whose details you have provided as an emergency contact (such as your next of kin).
Sharing information with third parties who are not involved in your health assessment, care or treatment
We may share information about you with external organisations such as our lawyers, auditors, financial, tax and public relations advisors and NHS organisations. We may also share information about you with third party suppliers, which provide us with a secure credit/debit card storage system, document scanning and off-site storage facilities, electronic patient and clinical staff administration and records systems and radiology imaging archiving and reporting systems. We may also share information about you with those providing us with information technology systems, this includes an incident management and recording system and a system for electronic prescribing as well as other clinical and non-clinical software applications (and related services) and website hosting. In each case, we would share only such information as was relevant.
Sharing your information with credit checking and debt collection agencies*
We may engage the services of debt collection agencies for the collection of any debts owed to us. If your bill is not paid on time, we may share information such as your Name, contact details, amount owed and services or products which the debt may cover, with debt collection agencies.
Please be assured that your medical records would not be shared either with credit checking agencies or with debt collection agencies.
* This section does not apply to health assessment clients as payment for those assessment services is made either by your employer or in advance by you where you pay for these services yourself.
Sharing information with your General Practitioner (GP)
It is a common practice for our consultants to write to your GP following consultation with us. If, however you ask us not to share your data with your GP, we shall respect your request where we are legally permitted to do so. A decision to restrict the sharing of information with your GP could be negatively detrimental to your health and care and we strongly advise against it.
Sharing with regulators or because of a legal obligation
We may share information about you with our regulators, including the Care Quality Commission, Healthcare Improvement Scotland and Healthcare Inspectorate Wales (which inspect our hospitals in England, Scotland and Wales respectively). Other regulators with whom we may share information about you include the Medicines and Healthcare products Regulatory Agency (which ensures medicines and medical devices used in the UK work and are acceptably safe), the Human Fertilisation and Embryology Authority (which regulates and inspects all our clinics providing fertility services or which store eggs, sperm or embryos), NHS England (which leads the NHS in England) and the Department of Health (the government department responsible for health and adult social care policy).
Sometimes, we are required to disclose information about you because we are legally required to do so. This may be because of a court order or because a regulatory body has statutory powers to access patients’ or health assessment clients’ records as part of their duties to investigate complaints, accidents or health professionals’ fitness to practise. Before any disclosure will be made, we will satisfy ourselves that your interests, rights and freedoms have been considered in line with appliable laws. We may engage with national and other professional research/audit programmes and registries where it is necessary to do so. Information about you may also be shared with the police and other third parties where reasonably necessary for the prevention or detection of crime. On occasion, this may include the Home Office and HMRC.
Relationship with our Consultants
Most of the consultants treating patients in our facilities are not CHG employees; they are however self-employed practitioners working under strict confidential requirements. The consultant is the data controller of your personal data, either alone or jointly with CHG and they practice their specialties in accordance with the terms of our Practicing Privileges policy.
Some consultants may independently engage in clinical activities such as Multi-Disciplinary Team (MDT) meetings- this may include the use of our facilities for the provision of required services. We try to ensure there is a single patient record for each patient who is seen at one of our hospitals, whether as an inpatient, outpatient or day case and we ask consultants working at our hospitals to ensure a copy of their records, including consultation records, is included in each patient’s records at the hospital. In addition to this, your consultant may also create their own records about you; where this occurs, we may refer you to them to process and respond to any requests from you, where you may have exercised your information rights under Data Protection Laws.
Audits, surveys and initiatives
In common with all healthcare providers (both NHS and private), we look at the quality of the care we provide to patients and health assessment clients and participate in national audits and initiatives to ensure that patients are getting the best possible outcomes from their treatment and care and to help patients make informed choices about the care they receive. We can assure you that your personal information remains under our control at all times and we ensure that except as described below in relation to our satisfaction surveys and outcomes surveys (also known as Patient Reported Outcome Measures or ‘PROMs’), any information we provide for national audits and initiatives outside of CHG will not contain any information in which any patient can be identified, unless it is required by law. Any publishing of this data will be in anonymised statistical form.
Consultants working at CHG may obtain your consent in being able to share your data with the British Spine Registry (BSR), in order to drive improvement in your care.
We use trusted third-party providers to help us with patient surveys. These surveys allow you to share your views to help us with the improvement of services we and our Consultants offer (our patient satisfaction surveys) and help us to assess clinical outcomes from your treatment and care (our ‘PROMs’ surveys).
Depending on the type of surgical procedure you undergo, you will be invited to complete two outcomes surveys- one survey before your operation and a second survey after your operation. The purpose of these surveys is to help ensure that patients are getting the best possible outcomes from their treatment and care. The outcomes surveys are offered in paper format. If you complete a paper outcomes questionnaire, we will share with our chosen third party your name, date of birth, patient record number, and your Consultant’s name.
Following your appointment or discharge from hospital, you may be invited to complete one of our patient satisfaction surveys. We offer the patient satisfaction surveys both in paper and online format. Where you have been admitted for treatment, we will share with our trusted third-party provider your name and your email address so they can send you a link to the online admitted care patient satisfaction survey after you have been discharged. If you include your contact details on the online survey form or on the paper survey form, then our trusted third-party provider will hold those details. If you complete the survey on paper, we will share your name, date of birth, address, patient record number (EMPI number), NHS number, the date you attended the hospital for your appointment, and your Consultant’s name and General Medical Council registration number unless you request otherwise. Our satisfaction survey provider collates and analyses the responses received and passes these to us; unless you choose to include your contact details, we cannot identify individual patients from those responses. Also, our trusted third-party provider shares information about NHS patients directly with NHS Digital for outcome data, whilst CHG shares this with the NHS for satisfaction data.
We may also ask you questions about the quality of our service at the end of our telephone-based pre-assessment screening.
One of the national programmes we participate in is run by the Private Healthcare Information Network (PHIN) which is an independent statutory entity enabling patients to compare privately funded healthcare (both hospitals and consultants). PHIN has its own privacy notice (a copy of which can be accessed via their website). We may share some of your personal data (including NHS Number in England and Wales, CHI Number in Scotland or Health and Care Number in Northern Ireland, as well as age, gender, ethnicity or race, diagnosis, and details relating to the procedure you underwent) with PHIN. That would enable PHIN to send this Number to the relevant national information authority (for example NHS Digital in England) which can link it to national hospital and mortality data. The linked information, with your personal data removed, would then be provided to PHIN to measure quality of care, check for adverse events after discharge from this hospital, such as unplanned readmissions to hospital, emergency transfers between hospitals, or deaths following treatment. Additionally, the records we send to PHIN will include your postcode to enable statistical processing. Personal information is treated with high standards of confidentiality in accordance with data protection laws and the duty of confidentiality. Any information that is published will always be in anonymised statistical form and will not identify you. This information will not be shared or analysed for any purpose other than those described in this section. As we are required by law to share this information with PHIN, and it is also necessary for the purposes of the management of the private health sector, we do not need your consent in order to share it.
In addition, we are also required to provide Patient Reported Outcome Measures (PROMS) – patient reported health improvements following treatment and details of any adverse events relating to the patients treated.
Change of hospital ownership
If we were to sell or transfer a hospital or part of our business to another organisation, your patient and health assessment records would also transfer to the new owner. Limited information may also be shared, where required, with legal and other professional advisors involved in that transaction.
The reason we would transfer your records is to minimise the disruption to current or past patients caused by the sale or transfer and to ensure we and a new owner were able to comply with our legal obligations regarding the retention of patients’ and other clients’ medical records and to ensure continuity of care.
Where you have provided us with consent
You may choose to opt in to receiving information about other services CHG offers by post or email.
In this case, your consent or decision to opt in is entirely voluntary. Should you decide not to consent or opt-in or should you change your mind at any time, you do not need to give a reason and your medical care and legal rights will not be affected. If you would like further information on how you could either opt in or out, please contact our Data Protection Officer (contact details can be found at the bottom of this page).
Apart from this limited instance, we do not hold or share information about you based on (or at least solely on) consent.
What legal basis does Circle Health Group have for using information about me?
The Data Protection legislation requires that we set out the legal basis for holding and using information about you. We have set out the various reasons we use information about you and alongside each, the legal basis for doing so. Given that some information we hold about you is particularly sensitive (as described above), we need an additional legal basis which we have set out in the third column (entitled ‘legal basis for more sensitive information’) explaining our reason for this.
|Additional legal basis for special categories of personal data:
|Taking an enquiry and establishing an initial patient or health assessment client record
|Providing healthcare (or health assessment) and related services
|Seeking and receiving payment of fees, including billing, invoicing and settlement of your account with us including debt collection where applicable
|Administration and management of healthcare services (such as maintaining records including patient medical records, receiving professional advice)
|Communicating with you and resolving any queries or complaints that you might have. Communicating with any other individual that you ask us to update about your care (such as your emergency contact) and liaising with other healthcare professionals about your care
|Complying with our legal and regulatory requirements including investigating complaints or claims and defending or exercising our legal rights
|Clinical research and development
|Safeguarding purposes (for example, in order to ensure the health and safety of an individual)
|Preventing and investigating fraud. This might include sharing your personal information with third parties such as the police or fraud prevention agencies, or carrying out fraud, credit, anti-money laundering and other checks
|We need to use the information for reasons of substantial public interest
|Carrying out marketing activities and providing marketing information to you
|Passing your records to a third party to whom we sold or transferred part of our business or a hospital
Where and for how long does Circle Health Group store information about me?
The information about you that we process is held securely in the United Kingdom and stored in paper format and on our secure servers. However, in some instances, your personal information may be processed for medical purposes or (particularly information not involving your medical information, because there is a legitimate interest or it is necessary for the performance of services to you) outside the United Kingdom ("UK") where the organisation paying for your health assessment, care or treatment is based outside the UK or where one of our suppliers is operating outside the UK. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Notice.
We retain your records for certain periods (depending on the particular type of record) under our retention of records policy. This is to ensure that information is properly managed and is available whenever and wherever there is a justified need for that information, including to support patient care and continuity of care; to support evidence-based clinical practice and to assist clinical and other audits; to support our legitimate interests, and to meet legal requirements. Your records may be transferred to an off-site storage provider, who may continue to hold your records in paper format or transform them into a digital format. Your records may not be retained in hard copy form where a digital copy exists.
If you would like more detailed information on this, please contact our Head of Information Governance and Data Protection Officer (DPO) (contact details below).
National Data Opt-Out
The national data opt-out is a service that allows the public to register to opt-out of their confidential patient information being used for research and planning, in line with the recommendations of the National Data Guardian. It gives people more control over how their confidential patient information is used. Information is available on the NHS website and you can raise your queries by emailing the Head of Information Governance and Data Protection Officer (DPO).
Automated Decision Making
We use third party providers such as Google, Facebook and other social media platforms to display relevant and focused adverts to target audiences. This is a form of automated decision making, undertaken by third parties, which can be based on specific criteria. For instance, adverts may be displayed in Google search results to reflect your search terms, or an event promotion on Facebook based on criteria such as demographics, location and job title. You have a right to not be subject to decisions that are made about you by computer alone. To update your preferences for advertising in this way, please contact these third-party providers directly.
What rights do I have?
Under certain circumstances, you have rights under data protection laws in relation to any personal information that we hold about you.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you informed. If you wish to exercise any of the rights set out below, please contact the Data Protection Officer (DPO) using the contact details set out below.
Details of your rights are set out below.
The right to access your personal information
You are usually entitled to a copy of the personal information we hold about you and details about how we use it.
Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.
You are entitled to the following under data protection law.
Under data protection law we must usually confirm whether we have personal information about you. If we do hold personal information about you we usually need to explain to you:
- The purposes for which we use your personal information
- The types of personal information we hold about you
- Who your personal information has been or will be shared with, including in particular organisations based outside the UK
- If your personal information leaves the UK, how we make sure that it is protected
- Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for
- If the personal data we hold about you was not provided by you, details of the source of the information
- Whether we make any decisions about you solely by computer and if so details of how those decision are made and the impact they may have on you
- Your right to ask us to amend or delete your personal information
- Your right to ask us to restrict how your personal information is used or to object to our use of your personal information
- Your right to complain to the Information Commissioner's Office
We also need to provide you with a copy of your personal information.
If you are a patient of CHG and you wish to request details of or a copy of your medical records, please contact the hospital at which you have received the care and treatment. For all other requests for any personal information, we may hold (such as employment records, if you are an ex-employee) please direct your request to the Data Protection Officer (DPO) using the contact details below.
The right to request correction of your personal information
We take reasonable steps to ensure that the personal information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.
The right to request erasure of your personal information
In some circumstances, you have the right to request the erasure of the personal information that we hold about you. This is also known as the 'right to be forgotten'. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
The right to object to the processing of your personal information
In some circumstances, you have the right to object to the processing of your personal information. However, there are exceptions to this right and we do not have to “pause” the processing of your information where, in particular, if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
The right to request a transfer of your personal information
In some circumstances, we must transfer personal information that you have provided to us to you or (if this is technically feasible) another individual/ organisation of your choice. The information must be transferred in an electronic format.
The right to object to marketing
As detailed in the ‘marketing’ section above, you can ask us to stop sending you marketing messages at any time and we must comply with your request. You can do this by contacting the Head of Information Governance and Data Protection Officer (DPO).
The right not to be subject to automatic decisions (i.e. decisions that are made about you by computer alone)
You have a right to not be subject to automatic decisions (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on you.
The right to withdraw your consent
You have the right to withdraw your consent where we rely upon this as a legal ground for processing your information. You can do this by contacting our Head of Information Governance and Data Protection Officer (DPO).
The right to complain to the Information Commissioner's Office
You have the right to complain to the Information Commissioner's Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations under data protection law.
Making a complaint will not affect any other legal rights or remedies that you have.
More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/ and the Information Commissioner’s Office can be contacted by post, phone, fax or email as follows:
Information Commissioner's Office
Water Lane, Wilmslow
Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 9 (if you prefer to use a national rate number)
Fax: 01625 524 510
Email: [email protected]
We use CCTV in various parts of our hospitals. CCTV is used for the safety and security of our patients, health assessment clients, visitors, and staff.
We (or third parties acting on our behalf) may process information about you in countries outside the UK/EEA. Where this occurs, we take every reasonable step to ensure your data is securely protected. As described briefly above in this Privacy Notice, we may from time to time and where it is necessary to do so in order to provide you with the best care and treatment, engage and work with some specialist companies that are based outside of the UK. This includes providers of specialist medical devices, such as robotic surgical aids and cardiac monitoring, bespoke prostheses and certain genomic testing. In order to make use of those services, your personal data may be transferred to the provider of the device or service in question, all of whom are currently based in the US. That transfer would only take place where there are robust technical and organisational measures including Standard Contractual Clauses prescribed by the UK’s Information Commissioner, which oblige the recipient of your data to ensure that it is appropriately safeguarded. In ensuring that our data is secured and continually monitored against any unauthorised access, we may transfer a limited amount of data, such as IP addresses to the UAE for evaluation.
We may also transfer specimens to specialist clinics in the US for particular specialised tests, but this will only take place in circumstances where we have a lawful basis to do so (of both the specimen and data) and there are adequate technological and organisational securities in place.
Contacting Circle Health Group and the Data Protection Officer
For further questions or to exercise any rights set out in this Privacy Notice, please contact Circle Health Group’s Data Protection Officer:
Data Protection Officer
Circle Health Group
30 Cannon Street
London, EC4M 6XH
Email: [email protected].
This Privacy Notice was last updated on February 2024.