Mayo Clinic Healthcare Privacy Notice

Mayo Clinic Healthcare takes your privacy rights seriously. We respect the privacy of all individuals we deal with, including our website visitors, clients who use our medical services, suppliers, enquirers and anyone else we encounter in our business.

This Policy sets out information about how we use, store and transfer personal data which we receive through our website https://www.mayoclinichealthcare.co.uk/ (the Site or our website) or any other means. We act as a Data Controller in relation to any personal data you provide to us, which means we will only process and share your data in line with the requirements of the applicable data protection laws and we will take all necessary steps to ensure that those with whom we legitimately share your data are equally robust in their approach to data protection.

This Policy also contains information about our use of cookies. We will ask you to consent to our use of cookies in accordance with the terms of this Policy when you first visit our website.

We or us means Mayo Clinic Healthcare LLP, a limited liability partnership registered in the United Kingdom under number OC418962 whose registered offices are at 15 Portland Place Marylebone London W1B 1PT.

Summary

Full details of how we look after your data when you visit our website or seek care or services from us are set out in the relevant sections below, but in summary, the key points are:

• We will normally receive your personal information directly from you but sometimes, we may receive information about you from third parties such as your employer or your GP or other physician;
• we will only use any personal data provided by you to provide you with information about our services, to provide healthcare or for the purpose of administration of our business and the services we offer which will include keeping appropriate records and meeting our legal obligations;
• we will only provide your personal data to third parties at your specific request or for our lawful business purposes or as required by law. We will not share your data with third party advertisers;
• we will store all personal data securely for the periods specified by data protection and other applicable laws;
• you have legal rights in relation to your personal data which you can exercise on request;
• our website uses cookies; and
• you can contact us to enquire about any of the contents of this Privacy Notice (see contact details below).

1. Personal Data we Collect

In this section we have set out the kinds of personal data that we may collect, use, store and transfer. We have grouped this data together into different categories based on its subject matter, and based on the kinds of individuals to whom they relate.

Data relating to almost everyone we deal with: e.g. Site users, enquirers, suppliers

1.1 We may process data about your use of our Website (usage data), which we obtain through our analytics tracking systems. This usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your browsing.

1.2 We may process information contained in or relating to any enquiry or communication that you send to us or that we send to you (correspondence data). This could for example include enquiries from potential clients, enquiries from journalists or any other correspondence. The correspondence data may include the communication content and metadata associated with the communication, as well as any contact details you may provide to us such as your name, email address, phone number, job title, address or social media username.

Data relating to clients and their families

1.3 We may process the registration data (registration data) you provide to us in setting up your registration with us as a client. The registration data may include your name, email address, phone number, postal address, contact details of previous and current physicians, dependents or next of kin.

1.4 We may process information provided by you to us, or created by us in the course of providing you with clinical services and treatment. This will largely relate to your health and treatment so we will refer to it as health data, but it might also include records relating to other matters such as your personal history, ethnicity, sex life or sexual orientation. Because this information is sensitive in nature (and treated as special category data for the purposes of the General Data Protection Regulation (GDPR) it is afforded even greater levels of care and security and we will take all necessary steps to safeguard it.

1.5 We may collect or process your credit or debit card details when you make payments. To process this payment we use a service provider who will collect and process your card details.

1.6 We may receive personal data relating to your dependents, carers, next of kin or employers. We call this family data. Typically, this information will comprise contact details only.

Data relating to suppliers and other commercial partners

1.7 If we have some other commercial relationship with you or with your employer (for example, a supply, purchase, sponsorship or referral relationship) then we may handle your contact details (name, job title, email address, postal address, telephone number), any related communications, and any related documents (such as contracts, POs and invoices, proposals and so on). We call all of this partner data.

Data relating to visitors

1.8 We may process information relating to visitors to our premises, such as their name, employer, role, contact details, CCTV footage and vehicle registration number. We call all of this visitor data.

Personal data we obtain from others

1.9 Your personal data may be provided to us by someone other than you. We might be introduced to you in correspondence by a mutual acquaintance, or your employer might introduce us to you, or we may obtain your contact details in the course of market research if you have a public role and if those details are publicly available. Normally this data will be correspondence data or partner data as described above. We may also receive health data from your GP or other physician where you have instructed them to provide, or consented to them providing, that health data.

2. Our purposes and legal bases of processing

2.1 We have set out below, in table format, a description of all the ways we may use your personal data. We are also required by law to identify the legal basis on which we handle personal data. These legal bases are set out in Article 6 of the General Data Protection Regulation (GDPR). When we process personal data on the basis of our legitimate interests then we also need to identify those legitimate interests and have done so below.

2.2 Note that we may process your personal data on more than one legal basis depending on the specific purpose for which we are using your data. You may contact us for further information if you wish by using the contact details provided below.

Type of Data	Purpose/Activity	Legal Basis for Processing
Website Usage Data	Analysing the use of, and improving, our website and services, security monitoring and fraud detection and to ensure our website is presented in the most effective manner.	Our legitimate interests (Art 6.1(f) GDPR), namely delivering and improving our website, informing marketing strategy, and ensuring the security of the Site.
Correspondence Data	To communicate with you. If you have indicated your interest in our services then we may also process correspondence data to provide you with occasional news about our services and marketing communications (although you will be free to unsubscribe at any time).	Our legitimate interests, namely properly administering our business and communications, developing our relationships with interested parties and addressing user concerns and queries (Art 6.1(f) GDPR). Where correspondence data relates to marketing, our legitimate interests in developing our business (Art 6.1(f) GDPR). Where correspondence relates to a potential contract with you, then our legal basis may be for the performance of a contract with you, or to take steps at your request prior to entering into a contract with you (Art 6.1(b) GDPR).
Registration Data	Operating our business, providing our services, and communicating with you.	Performance of a contract with you (i.e. delivering our services) (Art 6.1(b) GDPR). Our legitimate interests, namely properly administering our business, services and communications (Art 6.1(f) GDPR).
Health data	Operating our business providing our services, and communicating with you.	Performance of a contract with you (Art 6.1(b) GDPR). Necessary for diagnosis and the provision of health care (Art 9.2(h)) Occasionally, in addition to the contractual relationship we will have with you, we may also require your specific consent for certain processing in order to provide certain treatment or services, in which case we will undertake such processing under the legal basis of Consent as provided by Articles 6.1 (a) and 9.2 (a) of the GDPR.
Payments data	Making and receiving payments to and from our clients.	Performance of a contract with you (Art 6.1(b) GDPR).
Family data	Administering our services, liaising between clients and connected persons.	Performance of a contract with you (i.e. delivering our services) (Art 6.1(b) GDPR). Our legitimate interests, namely properly administering our business, services and communications.
Partner data	Administering our commercial relationship with those with whom we do business.	Performance of a contract (Art 6.1(b) GDPR). Our legitimate interests, namely properly administering our business and communications, and developing commercial relationships(Art 6.1 (b).
Visitor Data	Recording visitors to our site	Compliance with our legal obligations (Art 6.1(c) GDPR). Our legitimate interests, namely ensuring the safety and security of our site and visitors(Art 6.1 (f).
Any personal data	For the purposes of legal compliance (e.g. maintaining tax records)	Compliance with our legal obligations(Art 6.1.(c).
Any personal data	For the purposes of bringing and defending legal claims	Our legitimate interests, namely being able to conduct and defend legal claims to preserve our rights and those of others(Art 6.1.(f).
Any personal data	Record-keeping and hosting, back-up and restoration of our systems.	Our legitimate interests, namely ensuring the resilience of our IT systems and the integrity and recoverability of our data(Art 6.1 (f).

3. Sharing your personal data with others

We will not share your personal data with anyone outside of the legal basis described above. There are certain parties/situations where we are legitimately permitted to share your data for specific purposes. These include:

3.1 Our advisors. We may disclose your personal data to our insurers and/or professional advisers to take professional advice and manage legal disputes.

3.2 Disclosures designated by you. We may disclose your personal data to third parties designated by you, such as family members or consultant physicians.

3.3 Our service providers. We may disclose personal data to our service providers or subcontractors in connection with the uses we have described above. For example, we may disclose:

1. any personal data in our possession to suppliers which host the secure servers on which our data is stored, or who provide hosted software or systems, or communications services to us. This may include the provision of health data to data processors who will use it solely under our instructions as necessary to provide those sorts of services to us (and in particular to Siemens Healthcare, Insignia Medical Systems, Cerner UK and Wellbeing Software)
2. any personal data in our possession to freelance or consultant personnel working for us. In particular, we may provide health data to consultant physicians, including to physicians providing e-consultation in relation to your healthcare. Some of these physicians may be located outside the European Economic Area (in particular, we may consult with the Mayo Clinic in the USA and with Medica Reporting Limited, whose radiologists may be located outside the EEA);
3. personal data to individuals providing translation or interpreter services, where you have elected to use them. For example, if you ask us to provide an interpreter for a tele-consultation, then the interpreter will necessary receive and translate personal data in the course of that consultation. However, the interpreter is required to keep no record of that personal data beyond the consultation;
4. patient personal data with the patient's insurers or corporate sponsors, in order for payment to be made to us by those insurers or corporate sponsors on the patient's behalf;
5. payments data and other relevant personal data to third parties for the purposes of fraud protection, credit risk reduction and debt recovery.
   1. Sharing required by law. We have regulatory and/or compliance obligations to share certain clinical data with various governmental and regulatory bodies (for example the Care Quality Commission). This may include personal data, including your NHS patient identification number or its equivalent.
   2. We do not allow our data processors to use your personal data for their own purposes. We only permit them to use your personal data for specified purposes, in accordance with our instructions and applicable law.
   3. Compliance. We may also disclose your personal data where necessary to comply with law.
   4. Restructuring. If any part of our business is proposed to be sold or transferred, your personal data may be disclosed to the new owner or in connection with the relevant negotiations.

4. International transfers of your personal data

Some of the third parties to whom we may transfer your personal data, discussed above, may be located outside the EEA or may transfer your personal data to their own service providers located outside the EEA. If so, then we will ensure that transfers by our appointed data processors will only be made lawfully (e.g. to countries in respect of which the European Commission has made an "adequacy decision", or with appropriate safeguards such as the use of standard clauses approved by the European Commission or the use of the EU-US Privacy Shield). You may contact us, using the details below, if you would like further information about these safeguards.

5. Data security

5.1 We have put in place appropriate security measures to protect your personal data. We also have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where required by law.

5.2 Unfortunately, no transmission or storage system can be guaranteed to be completely secure, and transmission of information via the internet is not completely secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us of the problem using the contact details below.

6. Retaining and deleting personal data

6.1 We will comply with our legal obligations in relation to the retention and deletion of personal data, and in particular ensure that personal data that we process is not be kept for longer than is necessary for the relevant purposes. In particular:

1. partner and payments data will be retained for seven years after the end of the relevant contractual relationship;
2. correspondence data will be retained for the period of the enquiry or chain of correspondence and then deleted after twenty-four months, unless it relates to a client in which case it shall be retained for the same period as the related registration and health data;
3. most data associated with any client, including registration, health and family data which forms part of a medical record, will be retained for eight years following the conclusion of treatment; and
4. any data which is anonymised, and therefore not personal data, may be retained by us indefinitely. Typically, this will be derived from usage data.
   1. We maintain system backups for disaster recovery purposes. This means that information which is deleted from our live systems may still remain in backup until it is overwritten.
   2. We may retain your personal data longer than set out above where necessary to comply with law or in connection with any legal claim.

7. Your rights

7.1 You have rights under data protection law — they are complex, and subject to exemptions, and you can read guidance from the Information Commissioner's Office at www.ico.gov.uk for a fuller explanation of your rights. In summary, these rights are:

1. the right to access: you have the right to confirmation as to whether or not we process your personal data and, where we do, the right to access such personal data, together with certain additional information;
2. the right to rectification: you have the right to have any inaccurate or incomplete personal data about you rectified or completed;
3. the right to erasure: in some circumstances you have the right to the erasure of your personal data (for example, if the personal data are no longer needed for the purposes for which they were processed or if the processing is for direct marketing purposes);
4. the right to restrict processing: you have the right to restrict the processing of your personal data to limit its use. Where processing has been restricted, we may continue to store your personal data and will observe the restrictions on processing except to the extent permitted by law;
5. the right to object to processing: you have the right to object to our processing of your personal data on the basis of legitimate interests (discussed above) or for direct marketing purposes and if you do so we will stop processing your personal data except to the extent permitted by law;
6. the right to data portability: you have the right to receive your personal data from us if the legal basis for our processing is your consent or for the performance of a contract with you, and such processing is carried out by automated means; and
7. the right to complain to a supervisory authority: if you consider that our processing of your personal data is unlawful, you have a legal right to lodge a complaint with the ICO.

8. Our use of cookies

8.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

8.2 Cookies may be either persistent cookies or session cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

8.3 Cookies do not typically contain any information that personally identifies a user (except for IP addresses in some cases), but personal information that we store about you may be linked to the information stored in and obtained from cookies.

8.4 We use these kinds of cookies:

1. Strictly Necessary Cookies: these cookies are essential to provide you with services available through our Site and to enable you to use some of its features. For example, they allow you to log in to secure areas of our Site and help the content of the pages you request load quickly. Without these cookies, the services that you have asked for cannot be provided, and we only use these cookies to provide you with those services.
2. Functionality Cookies: These cookies allow our Site to remember choices you make when you use our Site, such as remembering your login details and remembering the changes you make to other parts of our Site which you can customise. The purpose of these cookies is to provide you with a more personal experience and to avoid you having to re-enter your preferences every time you visit our Site.
3. Analytical/Performance Cookies: These cookies are used to collect information about traffic to our Site and how users use our Site. It includes the number of visitors to our Site, the websites that referred them to our Site, the pages that they visited on our Site, what time of day they visited our Site, whether they have visited our Site before, and other similar information. We use this information to help operate our Site more efficiently, to gather broad demographic information and to monitor the level of activity on our Site.
4. Google Analytics: Our site uses Google Analytics (an analytical/performance cookie) to help analyse how users use the Site, collecting standard internet log information and visitor behaviour information in an anonymised form from which no user is identifiable. This information is transmitted to Google and processed to compile statistical reports on activity on the Site. These reports allow us to optimise our user experience. Google provide a browser add-on for users who wish to prevent their data from being used by Google Analytics. Further information is available at https://tools.google.com/dlpage/gaoptout/.
5. Third Parties: Third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.

8.5 Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can obtain up-to-date information about blocking and deleting cookies via the support pages made available by your browser operator.

9. Third Parties

Our website may contain links to third party websites and refer to third party service providers and other entities. If you follow a link to any third party website or deal with any third party referred to on the Site, then they may have their own privacy and cookie policies and we are not responsible for their use of any personal data which you may provide to them.

10. Amendments

We may update this Policy from time to time by publishing a new version on our website. You should check occasionally to ensure you are happy with any changes to this Policy, although we may notify you of significant changes to this Policy using the contact details you have given us.

11. Data protection registration

We are registered as a data controller with the UK Information Commissioner's Office. Our data protection registration number is ZA495447.

12. Contact Us

If you have any questions, comments or requests regarding this Privacy and Cookie Policy or our use of any personal data you provide to us, please contact our Data Protection Officer at 15 Portland Place Marylebone London W1B 1PT or at DPO-ukmch@mayo.edu.

Last updated: 28 April 2020