Circle Health Group website privacy notice

We will review this Privacy Notice periodically and we advise you to check back on our website for the latest version.

Who has information about me?

Circle Health Group Limited is our main operating company and is part of the Circle Health Holdings Limited group of companies. Some of our hospitals (Southend Private Hospital, Three Shires Hospital and Syon Clinic) and some of the services in some of our hospitals (the oncology service at Beardwood Hospital and some imaging services at Mount Alvernia Hospital and Three Shires Hospital) are owned by partner companies, each of which has a management contract with Circle Health Group Limited (formerly BMI Healthcare Limited) and forms part of the Circle Health Group. A partner company also owns the CT and MRI scanners at The Meriden Hospital; this service is managed by UME.

All these companies are registered at Circle Health Group, 1^st Floor, 30 Cannon Street, London EC4M 6XH and their full names and registered company numbers are as follows:

• Circle Health Group Limited (formerly BMI Healthcare Limited) - 02164270
• Three Shires Hospital LLP - OC398963
• Southend Private Hospital Limited - 05155289
• Syon Clinic Limited - 05706302
• North West Cancer Clinic Limited - 05706220 - The Beardwood Hospital oncology service
• BMI Imaging Clinic Limited - 05706274 - imaging service at Mount Alvernia Hospital
• The Pavilion Clinic Limited - 06061941 - imaging service at Three Shires Hospital
• The Meriden Hospital Advanced Imaging Centre Limited - 05607465 - MRI and CT service at The Meriden Hospital
• Circle Hospital (Reading) Limited - 06995585
• Circle Rehabilitation Services Limited - 10527747
• Circle Clinical Services Limited - 07714059
• CHG Management Services Limited - 05042771

Each of these companies may, to the extent relevant, collect, retain and use information about you and we refer to these collectively as 'Circle Health Group', 'Circle' or 'CHG' in this document.

This Privacy Notice sets out what personal information we may collect from you and how that information may be used when using Circle's websites.

In particular, this Privacy Notice explains

• how we will manage your personal information, from the point of collection and onwards;
• how we use and handle your information, and how we will comply with any relevant laws; and
• your rights in relation to your personal data, and how you can exercise them.

This Privacy Notice does not cover any links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our websites, we encourage you to read the privacy policy of every website you visit.

To reflect UK data protection laws around consent, our websites are not intended or designed for children under the age of 13.

However, in Scotland, age 12 is the age at which, under s208 of the Data Protection Act 2018, children are presumed (unless the contrary is shown) to be of sufficient age and maturity to have a general understanding of what to means to exercise data protection rights.

If you are under 13 living elsewhere in the UK (or under 12 in Scotland) and wish to ask a question or use this website in a way that requires you to submit any personal information, please ask your parents or guardian to do it on your behalf.

If we learn that we have unknowingly collected personal information from someone under the age of 13 and not in line with the above, we will delete such information as quickly as possible.

Introduction

Circle Health Group (Circle) is an independent provider of private healthcare, offering treatment to private patients and NHS patients. In order to provide healthcare services, Circle need to collect and process certain information about you ("personal data"). This makes Circle Health Group a 'data controller' for the information that it collects and processes about you and makes you the 'data subject'.

Circle is committed to protecting and respecting your personal information. This Privacy Notice explains what personal information we may collect from you and how that information may be used. Please take your time to read this Privacy Notice carefully.

The key actions of this Privacy Notice are:

1. About us
2. What personal information do we collect from you and where do we collect it from?
3. Why do we collect your personal information?
4. Who do we share your personal information with?
5. What marketing activities do we carry out?
6. Your rights
7. How long do we keep your personal information for?
8. International data transfers
9. How to contact us

1. About us

In this Privacy Notice we use 'we', 'us', 'our', and 'Circle'to refer to Circle Health Group.

We will advise you in our communications of the specific company within the Circle Health group of companies which is making decisions about the use of your personal information.

2. What personal information do we collect from you and where do we collect it from?

We may collect information about you when you request any information about us or our services, submit your personal details and/or complete any forms on the website, contact us via social media or use our live chat facilities on our website. This information will come directly from you. In limited circumstances we may also receive information about you on your behalf, such as where you have asked a family member to contact us, or if your GP contacts us directly. Personal information, or personal data, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may also collect special categories of personal information about you. This includes personal information relating to details about your health, and genetic and biometric data, race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, or trade union.

If you provide personal information to us about other individuals (including medical or financial information) you should inform the individual about the contents of this Privacy Notice. We will process such information in accordance with this Privacy Notice.

We have set out details below about the types of personal information we are likely to collect and use about you when you use our websites or interact with us via social media. The extent of the information we collect and use will depend on what information you choose to provide to us or what information is provided to us on your behalf.

Personal data

• General information you provide, such as your name, address, contact details, date of birth, gender and next of kin
• Information relating to appointments or other enquiries you make
• Information regarding your ability to pay for services and payment information
• Information regarding your experiences with us
• Information you provide in surveys or feedback
• Information relating to any complaint you may make against us or our staff
• Information about your areas of interest, if you are signing up to receive our update emails
• Information you send in any job application or speculative enquiries in relation to job vacancies, such as employment history or qualifications
• Information when you visit our websites.Circle Health Group uses Google Analytics and cookies in order to improve our service and user experience and to analyse how the website is used. The information collected by Google Analytics is analysed as anonymous traffic including browser information, device information, and trends related to page views and sessions. The collected information is used to provide an overview of how people are accessing and using Circle's websites. For more information about our use of cookies, please see our cookie policy.
• Location information to refine your website search: our 'Postcode or town' search uses Google functionality to help refine location-based search results. If you select 'Use current location' you will be prompted to give your consent for our website to use this. If you choose to manually enter location information into the 'Postcode or town' fields on our website, this information is used to refine your searches to show you relevant local results e.g. consultants working at local hospitals.

Special categories of personal data

• Details of your current or former health condition, including information about medication, lifestyle and other information that may be relevant to your health e.g. employment history, family conditions; race; ethnicity; sex life or sexual orientation, religious or philosophical beliefs
• Information relating to criminal convictions (including offences and alleged offences and any court sentence or unspent criminal conviction)
• In limited circumstances, we may process other sensitive personal information including details of your political opinions; and trade union membership, for example, where it is relevant to your health or social history

3. Why do we collect your personal information?

We process your personal information for the purposes set out in this Privacy Notice. We will only use your personal data when the law allows us to. Each time we use your data we must have a legal justification to do so. The particular justification will depend on why we are using your data. When the information that we process is classed as "special categories of personal information", we must have a specific additional legal justification in order to use it as proposed.

Generally, we will rely on the following legal grounds for processing your personal data:

• Taking steps at your request so that you can enter into a contract with Circle Health Group and/or a clinician to receive healthcare services from us, or for the purposes of that contract. If we have a contract with you, we will process your personal information in order to fulfil that contract (that is, to provide you with our products and services).
• Taking steps at your request so that you can enter into an employment contract with Circle Health Group, or for the purposes of that contract.
• We have an appropriate business need (a 'legitimate interest') to process your personal information and those interests are not overridden by your privacy rights. We will rely on this for activities such as administration and service improvement. Further details of those legitimate interests are set out in more detail below.

We may process special categories of personal information about you because:

• It is necessary for the purposes of preventive or occupational medicine, providing you with medical diagnoses, providing you with healthcare or for the management of our healthcare services.
• It is necessary for reasons of substantial public interest, such as insurance-related purposes or for preventing or detecting fraud.
• The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.

You will find further details of our "legal grounds" for each of our processing purposes set out below.

Providing healthcare and related services

Legal grounds:

• The use is necessary to provide you with healthcare and other related services.
• The use is necessary for fulfilling our contract with you for the delivery of healthcare.
• The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.

Additional legal grounds for special categories of personal data:

• The use is necessary to provide you with healthcare and other related services.
• The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent.
• The use is necessary for an insurance-related purpose.

The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent.

Administration and management of healthcare services (such as maintaining records, receiving professional advice)

Legal grounds:

• The use is necessary to provide you with healthcare and other related services.
• The use is necessary to comply with a legal or regulatory obligation.
• The use is necessary for fulfilling our contract with you for the delivery of healthcare.
• The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.

Additional legal grounds for special categories of personal data:

• The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
• The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.

Service improvement, evaluation and audit (in order to improve the healthcare services that we provide)

Legal grounds:

• The use is necessary for compliance with a legal or regulatory obligation.
• The use is necessary to provide you with healthcare and other related services.
• The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.

Additional legal grounds for special categories of personal data:

• The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
• You have given us your explicit consent.

Communicating with you and resolving any queries or complaints that you might have. Communicating with any other individual that you ask us to update about your care.

Legal grounds:

• The use is necessary to provide you with healthcare and other related services.
• The use is necessary for compliance with a legal obligation.
• The use is necessary for fulfilling our contract with you for the delivery of healthcare.
• The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
• You have given us your explicit consent.

Additional legal grounds for special categories of personal data:

• The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
• The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.
• You have given us your explicit consent.

Complying with our legal and regulatory requirements

Legal grounds:

• The use is necessary for compliance with a legal obligation.
• The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
• You have given us your explicit consent.

Additional legal grounds for special categories of personal data:

• The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
• The use is necessary in order for us to establish, exercise or defend our legal rights.
• You have given us your explicit consent.

Clinical review and development

Legal grounds:

• The use is necessary to provide you with healthcare and other related services.
• The use is necessary for compliance with a legal obligation.
• The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
• You have given us your consent.

Additional legal grounds for special categories of personal data:

• The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
• We need to use the information for reasons of substantial public interest such as, in response to COVID-19
• The use is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care.
• The use is necessary for public interest or scientific research purposes so long as it is subject to appropriate safeguards.
• You have given explicit consent.

Safeguarding purposes (for example, in order to ensure the health and safety of an individual)

Legal grounds:

• The use is necessary for compliance with a legal obligation.
• We need to use the information to protect your vital interests or the vital interests of a third party.
• The use is necessary to provide you with healthcare and other related services.

Additional legal grounds for special categories of personal data:

• We need to use the information to protect your vital interests or the vital interests of a third party and you or the third party are physically or legally incapable of giving consent.
• We need to use the information for reasons of substantial public interest, such as the use being necessary in protecting an individual from neglect or physical, mental or emotional harm and protecting the physical, mental or emotional wellbeing of an individual.
• You have given us your explicit consent.

Preventing and investigating fraud. This might include sharing your personal information with third parties such as the police or fraud prevention agencies, or carrying out fraud, credit, anti-money laundering and other checks

Legal grounds:

• The use is necessary to provide you with healthcare and other related services.
• The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.

Additional legal grounds for special categories of personal data:

• We need to use the information for reasons of substantial public interest.

Carrying out marketing activities and providing marketing information to you

Legal grounds:

• The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
• You have given us your consent.

For employment and pre-employment purposes, such as considering job applications from you, carrying out pre-employment checks and entering into an employment contract

Legal grounds:

• Taking steps at your request so that you can enter into an employment contract with Circle Health Group, or for the purposes of that contract.
• We have a legal or regulatory obligation to use your personal information.
• The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
• You have provided your consent to our use of your personal information.

Additional legal grounds for special categories of personal data:

• We need to use the information for reasons of substantial public interest.
• It is necessary for the management of our healthcare services.
• It is information that you have made public.
• You have provided your explicit consent.

4. Who do we share your information with?

From time to time, we may share your personal information with others. We will keep your personal information confidential and only share it with those listed below for the purposes explained in the previous section.

Sharing within the Circle Health group of companies

We may share your information with other companies in the Circle Health Group, for example, in order to provide you with healthcare services or progress your employment application.

Sharing with third parties

We may share information with the following third parties:

• Clinicians or other healthcare professionals involved in your treatment
• Other staff involved in your healthcare, such as receptionists, secretaries and administrative assistants
• Organisations from which you are receiving healthcare services, such as your GP or dentist
• Third parties who are involved in your healthcare, such as insurers
• Other private sector healthcare providers
• The Private Healthcare Information Network
• Third parties involved in research or audit projects
• NHS organisations, including NHS Resolution, NHS England, Clinical Commissioning Groups, NHS Foundation Trusts, NHS Trusts, or the Department of Health as well as third parties that have contractual relationships with such NHS organisations
• Government bodies such as the Home Office and HMRC
• Regulators, such as the ICO, the Care Quality Commission, Health Inspectorate Wales, and Health Improvement Scotland
• The police and other third parties where reasonably necessary for the prevention or detection of crime
• Anyone that you have asked to communicate with us on your behalf, or have named as an emergency contact, such as your representative, next of kin or carer
• Debt collection agencies
• Our insurers
• Our third party services providers and advisers, such as IT suppliers, actuaries, auditors, lawyers, marketing agencies, document storage and management providers and tax advisers
• Preferred partners for credit agreements
• Credit referencing agencies
• Any third parties involved in the sale, transfer or disposal of all or a part of our business

We may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone.

5. What marketing activities do we carry out?

We may use your information to provide you with information about products or services which may be of interest to you where you have provided your consent for us to do so.

To enable us to provide you with email marketing services, the information you register with on our website is processed by a third-party company.

At Circle Health Group, we take patient confidentiality seriously. For all registrations made via our website, you will be sent Circle's email marketing from a third party company, who are working on our behalf.

Where you are receiving marketing information by email, you can unsubscribe by contacting our Data Protection Officer (DPO) details shown below.

We use live chat software on our website, this is provided by Click4Assistance, a 3rd party UK based Software Company. Information regarding how the data is processed and stored can be viewed here.

We occasionally pass your information on to market research companies which carry out surveys and collate feedback on our behalf. We use this information to help improve our services and develop and improve products.

If you do not wish to receive non-email based marketing information or do not want us to pass your information on to market research organisations, please contact our Data Protection Officer ('DPO') using the contact details below.

Automated decision making

We use third party providers such as Google, Facebook and other social media platforms to display relevant and focused adverts to target audiences. This is a form of automated decision making, undertaken by third parties, which can be based on specific criteria. For instance, adverts may be displayed in Google search results to reflect your search terms, or an event promotion on Facebook based on criteria such as demographics, location and job title. You have a right to not be subject to decisions that are made about you by computer alone. To update your preferences for advertising in this way, please contact these third-party providers directly.

We may engage the services of third-party organisations to conduct specified analysis for the improvement of our marketing activities. Where this occurs, it would involve the sharing of customers’ information held by CHG, with companies that have specialist knowledge in data matching, segmentation (separating individuals into varied groups based on available information) and profiling; the results help us to better target our products to the right customers. In meeting our legal obligations, we would only share your data where it is necessary and in the legitimate interest of CHG which would be balanced against your rights and interest. We will not use automated decision-making for this.  We also use ‘geotargeting’ to display relevant, local content to you on our websites. For instance, you may see information specific to our hospital in Reading if you live in the Berkshire area. We may also use cookies for retargeting purposes, which enable us to display relevant CHG adverts on other websites which may be of interest. You can change your cookie preferences at any time by accessing our cookie policy. You can then adjust the available sliders to ‘On’ or ‘Off’. You may need to refresh your page for your settings to take effect.

6. Your rights

Under certain circumstances, you have rights under data protection laws in relation to any personal information that we hold about you.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you wish to exercise any of the rights set out below, please contact the Data Protection Officer using the contact details set out below.

Details of your rights are set out below.

The right to access your personal information

You are usually entitled to a copy of the personal information we hold about you and details about how we use it.

Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.

You are entitled to the following under data protection law.

Under data protection law we must usually confirm whether we have personal information about you. If we do hold personal information about you, we usually need to explain to you:

• The purposes for which we use your personal information.
• The types of personal information we hold about you.
• Who your personal information has been or will be shared with, including in particular organisations based outside the UK.
• If your personal information leaves the UK, how we make sure that it is protected.
• Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for.
• If the personal data we hold about you was not provided by you, details of the source of the information.
• Whether we make any decisions about you solely by computer and if so, the details of how those decision are made and the impact they may have on you.
• Your right to ask us to amend or delete your personal information.
• Your right to ask us to restrict how your personal information is used or to object to our use of your personal information.
• Your right to complain to the Information Commissioner's Office.

We also need to provide you with a copy of your personal information.

If you are a patient of Circle Health Group and you wish to request details of or a copy of your medical records, please contact the hospital at which you have received the care and treatment. For all other requests for any personal information we may hold (such as employment records, if you are an ex-employee) please direct your request to the Data Protection Officer, using the contact details below.

The right to request correction of your personal information

We take reasonable steps to ensure that the personal information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.

The right to request erasure of your personal information

In some circumstances, you have the right to request the erasure of the personal information that we hold about you. This is also known as the 'right to be forgotten'. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

The right to object to the processing of your personal information

In some circumstances, you have the right to object to the processing of your personal information. However, there are exceptions to this right and we do not have to "pause" the processing of your information where, in particular, if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

The right to request a transfer of your personal information

In some circumstances, we must transfer personal information that you have provided to us to you or (if this is technically feasible) another individual/ organisation of your choice. The information must be transferred in an electronic format.

The right to object to marketing

As detailed in the 'marketing' section above, you can ask us to stop sending you marketing messages at any time and we must comply with your request. You can do this by contacting the Data Protection Officer.

The right not to be subject to automatic decisions (i.e. decisions that are made about you by computer alone)

You have a right to not be subject to automatic decisions (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on you.

The right to withdraw your consent

You have the right to withdraw your consent where we rely upon this as a legal ground for processing your information. You can do this by contacting our Data Protection Officer.

The right to complain to the Information Commissioner's Office

You have the right to complain to the Information Commissioner's Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations under data protection law.

More information can be found on the Information Commissioner's Office website: https://ico.org.uk/

Making a complaint will not affect any other legal rights or remedies that you have.

7. How long do we keep personal information for?

We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations.

8. International data transfers

We (or third parties acting on our behalf) may transfer, store or process information about you in countries outside the UK. Where this is the case we take the required steps to ensure that your personal information is protected.

9. How to contact us

Our Data Protection Officer ("DPO") helps us to make sure that the Circle Healthcare group of companies comply with data protection law. Our Data Protection Officer has responsibility for data protection compliance in respect of the companies set out above.

The Data Protection Officer can be contacted by:

• Email: [email protected]
• Post: Circle Health Group, 1st Floor, 30 Cannon Street, London, EC4M 6XH

If you would like further information about any of the matters in this Privacy Notice or have any other questions about how we collect, store or use your personal information, please contact the DPO using the details above. Please also contact the DPO if you have any feedback about this Privacy Notice.

Updates to this Privacy Notice

We may update this Privacy Notice from time to time to ensure that it remains accurate.

This Privacy Notice was last updated in October 2023