Policy key definitions:
- “I”, “our”, “us”, or “we” refer to the business, Summerhill Health.
- “you”, “the user” refer to the person(s) using this website.
- GDPR means General Data Protection Act.
- PECR means Privacy & Electronic Communications Regulation.
- ICO means Information Commissioner’s Office.
- Cookies mean small files stored on a user’s computer or device.
Key principles of GDPR:
Processing of your personal data:
This practice keeps medical records confidential and complies with the General Data Protection Regulation.
We hold your medical record so that we can provide you with safe care and treatment.
We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.
Under the GDPR (General Data Protection Regulation) we are required to provide you with the following information about how we handle your information.
The Personal Data we collect from you includes but is not limited to the following:
When you enquire about our services, we will request Personal Data such as your name, date of birth, email address and telephone numbers and information about you to help us to register you to see a doctor and to contact you with further information such as results of tests and investigations. When you register with us we will request detailed medical information relevant to you. This information is stored within a hosted practice management system Heydoc.
Mindspace c/o Heydoc
9 Appold Street
London EC2A 2AP
Heydoc is UK-based and GDPR compliant with a number of key features:
- 256 bit encryption and servers based in London
- 2 factor authentication for users login with SSL encryption (the same level of security as used for online banking)
- Ability to offer video consultations where needed
If you visit our website and make enquiries through this website, your usage may be tracked by using “cookies” and other similar technologies to help us make improvements to the websites and to the services we make available. Please see the Cookies section below for more information.
Where we receive or make phone calls on your behalf, we will collect call data records including the calling line identity passed, the call date and time, the number dialled and the duration of the call, the names of the parties to the call, and any message or other information given during the call.
Where we receive or send emails on your behalf, we may collect the names and email addresses of the third parties and any information contained therein.
If receive or send paper documents or other forms of communication on your behalf, we may collect the names and addresses of the third parties and any information contained therein. When you make a booking through our online booking tool, we will collect information you enter into the booking tool and the IP addresses from which you accessed the website.
Where we provide relevant services to you, such as referral to specialists, we will provide you with these in encrypted format.
We will NOT at any time share any of your information with any third party for the purposes of marketing, advertising, website testimonials without specific consent.
In compliance with GDPR Article 6 (“processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract”), we will use the Personal Data or purposes that include but are not limited to:
- Processing any enquiries you have about our services;
- verifying your identity when you use our services or contact us;
- understanding, processing and executing instructions you give us in relation to the delivery of our services;
- delivering our services to you;
- notifying you about changes to our website, services or terms and conditions or anything else we may be required or reasonably expected to notify you of
- providing you with accurate and detailed billing for using our services;
- and collecting payment, and recovering any monies you may owe to us for use of our services.
In compliance with GDPR Article 6 (“processing is necessary for compliance with a legal obligation to which the controller is subject”), we will use the Personal Data for purposes that include but are not limited to:
- maintaining uur business records and accounts;
- meeting our obligations to HMRC;
- preventing or detecting a crime, fraud or misuse of our services, and investigating where we believe any of these have or may have occurred;
- meeting our obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and the London Local Authorities Act 2007;
In compliance with GDPR Article 6 (“the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes”), if you have given and not withdrawn consent we may use the Personal Data for these purposes:
- to provide you with information about our other services, offers or products that you may be interested in; and
- to provide you with information about third party services, offers or products that you may be interested in.
Whilst storing your data we will use Appropriate Technical and Organisational Measures to keep Personal Data secure and to prevent it being accidently lost, accessed or used in an unauthorised way, altered or disclosed. We will make reasonable efforts to ensure the data is accurate and up-to-date and will undertake to rectify any inaccuracies of which we become aware without delay. All Personal Data we store is stored in the European Economic Area.
We may monitor and record your phone and/or video conversations with us and use this information for training and quality purposes, to ensure any verbal instructions you give us are properly understood, to enable us to investigate complaints, and to meet our legal and regulatory obligations. All recordings are encrypted and securely stored shortly after completion of the phone call and access to recordings is controlled and monitored.
We may share information with third parties:
- In response to properly made requests from law enforcement agencies for the prevention and/or detection of a crime, for the purpose of safeguarding national security or when the law requires us to, such as in response to a court order or other lawful demand or powers contained in legislation;
- in response to properly made requests from regulatory bodies such as the Information Commissioner’s Office and Ofcom;
- as part of the process of selling our business;
- as part of current or future legal proceedings; and
- with a company who is assisting us in providing services to you or who provides services to us which enable us to provide our services to you, examples of such services being billing and financial systems, telecommunications services and customer management systems. Where we use companies for this purpose we have contracts in place to ensure they remain GDPR compliant with your data.
Some of the organisations with whom we may share information may be outside the European Economic Area in countries that do not always have the same data protection laws as the UK. However, we will have contracts in place with them to ensure that your information is adequately protected and we will remain bound by our obligations even when your personal information is processed outside the European Economic Area.
Where any data breach is identified that affects the information that we hold about or have processed from you, we will take urgent action in accordance with the GDPR and guidance issued from the Information Commissioner’s Office. If you identify any data breach that affects data we have passed to you, you must notify us in writing immediately and provide full information about the data affected by this breach.
The time period that we will keep information for will vary depending on what the information is used for. Unless there is a specific legal requirement to the contrary, we will keep information in a form which permits identification of Data Subjects only for as long as it is necessary for the purposes for which we process it. Once the requirement to hold the data is complete, appropriate measures will be taken to delete the data in line with the terms of the GDPR.
Some cookies are required to enjoy and use the full functionality of this website.
Our website uses Google Analytics, a web analytics service provided by Google Ireland Ltd. If the responsible body for the data processing that occurs via this website has their basis outside of the European Economic area and Switzerland, then the associated Google Analytics data processing is carried out by Google LLC. Google Ireland Limited and Google LLC. will hereinafter be referred to as “Google”.
Google Analytics uses “cookies”, which are text files saved on the site visitor’s computer, to help the website analyse their use of the site. The information generated by the cookie (including the truncated IP address) about the use of the website will normally be transmitted to and stored by Google.
Google Analytics is used exclusively with the extension “_anonymizeIp ()” on this website. This extension ensures an anonymization of the IP address by truncation and excludes a direct personal reference. Via this extension Google truncates the site visitor’s IP address within member states of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional situations will the site visitor’s full IP address be transmitted to Google servers in the United States and truncated there. The IP address, that is provided by your browser in using Google Analytics will not be merged by Google with other data from Google.
On behalf of Summerhill Health, Google will use the information collected to evaluate the use of our website, to compile reports on website activity and to provide other website and internet related services to us (Art. 6 (1)( f) GDPR). The legitimate interest in data processing lies in the optimization of this website, the analysis of the use of the website and the adaptation of the content. The interests of the users are adequately protected by the pseudonymization of their data.
Google LLC. has certified their compliance with the EU-U.S. Privacy Shield Framework and on that basis, they provide a guarantee to comply with European data protection law. The data sent and linked to the Google Analytics cookies, e.g. user IDs or advertising IDs will be automatically deleted after 50 months. The deletion of data whose retention period has been reached is done automatically once a month.
Further information concerning the terms and conditions of use and data privacy can be found at https://www.google.com/analytics/terms/us.html or https://www.google.com/analytics/learn/privacy.html.
Data subject access request
Under the GDPR, a Data Subject has the right to request a record of the data held about him/her. To do this a request should be submitted in writing to the Data Protection Officer at the email address firstname.lastname@example.org. We may ask the Data Subject to provide us with proof of identity to make sure we are giving information to the right person.
Other rights of Data Subject
The GDPR gives Data Subjects a number of other rights including the right to request the correction or erasure of Personal Data, the right to request the restriction of processing of Personal Data, the right to request the transfer of Personal Data (to the Data Subjector a third party), and the right to withdraw your consent to the processing at any time where consent is the lawful basis for processing.
Please note that the ways in which we collect, use and protect Personal Data will be reviewed periodically and may change from time to time. We will notify you by email should such changes occur.
If you have any questions about privacy issues, want us to update your marketing preferences, or amend information, please contact us either by email at email@example.com or call the team on 0161 393 3993.
In the first instance, please contact us using the details above. If this does not resolve your complaint to your satisfaction, you have the right to complain to the Information Commissioner about the way in which we collect and use your personal Data. Email https://www.ico.org.uk/concerns or telephone 0303 123 1113 or write to ICO, 100 College Road, Harrow, HA1 1BQ.
You can see more about these rights at:
We are registered with the ICO under the Data Protection Register; our registration number is A8470649.