To view our Patient Privacy Notice, please click here.
This notice tells you how we look after your personal data if you are one of our customers, contractors, or suppliers (or a prospective customer, contractor or supplier). When we use the term “customers”, this also includes contacts at organisations that refer patients to us, as well as other individuals whose details we hold in our contact records.
We aim to be transparent and fair in all aspects of how we collect, manage and account for your personal data. We take the privacy and security of your personal information very seriously. We are committed to complying with our legal obligations under Data Protection legislation (the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), the Data (Use and Access) Act 2025 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)) and any subsequent or updated legislation.
This Privacy Notice explains what types of personal information we collect about you, what we do with that personal information, the legal basis for our processing of your personal information, what rights you have in relation to your personal information and how you can exercise those rights. It also explains when we share information and how we keep your personal information safe and secure.
1. Who we are and other important information
CCL is operated by Cancer Centre London LLP, which is a group company of Integrated Clinical Oncology Network UK Ltd (“Icon”) and the wider Icon group of companies (“Icon Group”). Icon Group employees carry out a number of functions to support Icon and these employees maybe located in the UK, the EEA or in a third country such as Australia (our Head Office). Details for the UK companies are set out below.
Cancer Centre London LLP, a company registered in England and Wales under company number OC352271 whose registered office is at Epsom Gateway, Ashley Avenue, Epsom, Surrey, KT18 5AL.
Integrated Clinical Oncology Network UK Ltd, a company registered in England and Wales under company number 15358341 whose registered office is at Suite 1, 7th Floor 50 Broadway, London, United Kingdom, SW1H 0DB. QPHL is registered with the Information Commissioners Office, registration number ZB753412.
For the matters relevant to this privacy notice Icon is the data controller of your information. This means Icon will decide what information is collected and how it is used (based on the information that you share with us).
2. How you can contact us
If you have any questions about this privacy notice or the way that we use information, please get in touch using the following details:
FAO: Icon Data Protection Officer
Email address: nicola.palmer@icon.team
Postal address: Swiatek Suite, Boutique Workplace Company’s ‘Old Town Hall’, 4 Queen’s Rd, London SW19 8YB
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for Data Protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
These links are provided to help guide you to information we believe may be relevant to your needs and of interest.
3. The information we collect about you
Personal data means any information which does (or could be used to) identify a living person either directly or indirectly. We may collect this information through our interactions with you as a customer, contractor, or supplier, including by email, written correspondence, completion of documentation, and visits to our premises.
We have grouped together the types of personal data that we collect and where we receive it from below (not exhaustive list):
Type of Personal Data | Received from |
Identity Data – name | You |
Contact Data – name of employer, work address, work telephone numbers, work email address | You |
Employment Data – details of your employer, your job role, position and/or job title, area of employment (e.g. marketing, sales, procurement) | You |
Financial Data — Employer bank account details, payment information, contract, invoices | You |
Feedback and communications – information and responses you provide when completing surveys and questionnaires, and records of your communications with us | You |
We do not collect any special category information relating to our customers, contractors or suppliers.
In certain circumstances it will be necessary for you to provide us with your Personal Data, to enable us to manage our operations and to comply with our statutory obligations. In other circumstances, it will be at your discretion whether you provide us with Personal Data or not. However, failure to supply any of the Personal Data we request may mean that we are unable to fulfil a contract we may have in place with you or your employer.
We make every effort to maintain the accuracy and completeness of all Personal Data which we store and to ensure your Personal Data is up to date. However, you can assist us with this considerably by promptly contacting us if there are any changes to your Personal Data, or if you become aware that we have inaccurate Personal Data relating to you.
Your right to withdraw consent
Where our processing is based on you having provided consent to the collection, processing and transfer of your Personal Data for a specific purpose, you also have the right to withdraw your consent for that specific processing at any time.
To withdraw your consent, please contact us at the email address set out in section 2 above.
4. How we use your information
We are required to identify a legal justification (also known as a lawful basis) under GDPR for collecting and using your personal data. There are six legal justifications which organisations can rely on. The most relevant of these to us are where we use your personal data to:
to enter into and perform our contract with you;
do something that you have given your consent for us to do;
pursue our legitimate interests (our justifiable business aims) but only if those interests are not outweighed by your other rights and freedoms (e.g., your right to privacy);
comply with a legal obligation that we have;
The table below sets out the lawful basis we rely on when we use your personal data (not exhaustive list).
Purposes | Justification |
To fulfil our obligations under the contract we have entered into with you/your employer and/or to manage our relationship with you, including to communicate with you, to provide to you and to receive from you, requested products or services and to invoice you or pay you for services. | Performance of contract |
To fulfil our obligations under the contract we have entered into with your employer, and/or to manage our relationship with your employer, including to communicate with you, to provide to your employer and to receive from your employer, requested products or services and to invoice your employer or pay your employer for services. | Performance of contract |
Asking you to participate in surveys and other types of feedback | Consent |
To review the circumstances of specific incidents, complaints, or queries. | Legitimate interests (necessary to resolve issues) |
In connection with legal claims relating to compliance, regulatory, auditing and investigative processes (including disclosure of Personal Data in connection with legal process or litigation and investigating any claims). | Processing is necessary to comply with a legal obligation on us |
5. Who we share your information with
We share (or may share) your personal data with:
Icon Group personnel: Icon Group employees (or other types of workers) who have contractual obligations to support Icon. Some examples of this may be our Finance, Legal, HR and IT teams.
Icon Group professional advisers: such as our legal advisors where we require specialist advice.
HM Revenue & Customs, regulators and other Authorities who require reporting of processing activities in certain circumstances.
To enforce or apply our Terms of Service or other agreements or to protect our business (including with other companies and organisations for the purposes of fraud protection and credit risk reduction),
Any actual or potential buyer of the business: Any such entities will be subject to appropriate and relevant data protection and confidentiality provisions.
Our insurers: to the extent necessary to ensure that Icon and its subsidiaries can engage the cover arranged under its insurance policies and maintain appropriate cover in relation to our activities.
6. Where your information is located or transferred to
When we share personal data within the Icon Group or with third parties (as described above), that may involve your personal data being shared outside of the UK, including to Australia (where the Icon Group is headquartered).
We will only transfer information outside of the UK where we have a valid legal mechanism in place (to make sure that your personal data is guaranteed a level of protection, regardless of where in the world it is located), which may include the following:
ensuring that the country in which your personal data will be processed has been deemed “adequate” by the relevant UK authorities under Article 45 of the UK GDPR; or
including the EU Standard Contractual Clauses (SCCs) and UK Addendum or the UK International Data Transfer Agreement (IDTA) approved by relevant supervisory authorities for transferring personal data outside the UK, into our contracts with other members of the Icon Group or third parties (as per under Article 46(2) of the UK & EU GDPR).
Should the international data transfer requirements change, we will review the obligations and amend this notice as appropriate. Please contact our DPO for further information in this respect.
7. How we keep your information safe
We take the security of your information very seriously. We have in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
8. How long we keep your information
Where we act as the controller, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including to comply with our legal obligations in respect of the retention of records.
We keep information related to our contracts with our customers, suppliers and contractors for 6 years after the contract terminates
9. Your legal rights
Under certain circumstances, by law you have the right to:
Be informed by the provision of a privacy notice when your personal information is processed.
Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request rectification of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
Right to object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you.
Request the transfer of your personal information to another party.
Automated decision making, including profiling We do not envisage that we will conduct any automated processing including profiling, however we will inform you if this changes.
Generally, you will not have to pay a fee to exercise any of your legal rights. However, we are entitled to charge a reasonable fee if any request is clearly unfounded, repetitive or excessive. We can also refuse to comply with an unfounded or excessive request. We may need to request information from you to confirm your identity, in order to make sure that personal data is not disclosed to someone who is not entitled to have it. We may also need to ask you for additional information to help us respond to your request.
We endeavour to respond to your request within one month but, if the request is very complex or if you have made a number of requests, we are legally able to extend the request by an additional two months. In such circumstances, we will explain to you why it will take longer to respond and we will keep you updated. Please contact our DPO to exercise any of your rights.
10. Complaints
We would encourage you to contact us, in the first instance, if you are unhappy with any aspect of the way in which we process your personal data. You can get in touch with our DPO using the details provided above.
You can bring Data Protection complaints in writing or verbally, this can be through inbound contact to us (such as email, telephone) or via other means of contact, such as social media or online via our website. We have a procedure for responding to Data Protection complaints and we can provide a complaint form should this be required.
If you are not satisfied with the outcome of your complaint, you have the right to refer such matters to the ICO (www.ico.org.uk). It is worth noting the ICO expect individuals to exhaust the complaints process internally before referring complaints to them.
11. Change of Purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
Changes to this Privacy Notice
From time to time, we may revise this Privacy Notice and any such changes will be reflected on this page.
Revision History | |||
No | Details | Date | Author |
V1.1 | DPO Review | April 2026 | DPO |