To view the Customers, Contractors, Suppliers Privacy Notice, please click here.
This notice tells you how we look after your personal data if you are a patient of Cancer Centre London (“CCL”).
We are committed to protecting and respecting your privacy. We don't hide behind small print because we understand how important your privacy is to you.
That's why we share everything you need to know about what we do with your personal information (or “personal data”). We also make it simple for you to tell us what you want us to do with your personal data.
We aim to be transparent and fair in all aspects of how we collect, manage and account for your personal data. We take the privacy and security of your personal information very seriously. We are committed to complying with our legal obligations under Data Protection legislation (the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), the Data (Use and Access) Act 2025 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)) and any subsequent or updated legislation.
This Privacy Notice explains what types of personal information we collect about you, what we do with that personal information, the legal basis for our processing of your personal information, what rights you have in relation to your personal information and how you can exercise those rights. It also explains when we share information and how we keep your personal information safe and secure.
It is important that you read this privacy notice together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This notice supplements other privacy notices and is not intended to override them. We may update this notice at any time, details of which are found at the end of this document.
1. Who we are and other important information
CCL provides services and treatment for patients for a range of cancers and conditions in our centres. You can find out more about the range of services we provide at iconcancercentre.co.uk.
CCL is operated by Cancer Centre London LLP, which is a group company of Integrated Clinical Oncology Network UK Ltd (“Icon”) and the wider Icon group of companies (“Icon Group”). Icon Group employees carry out a number of functions to support CCL such as marketing, IT, Finance Information Governance, HR, and legal support, and these employees maybe located in the UK, the EEA or in a third country such as Australia (our Head Office). Details for Cancer Centre London LLP and Icon are set out below.
Cancer Centre London LLP, a company registered in England and Wales under company number OC352271 whose registered office is at Epsom Gateway, Ashley Avenue, Epsom, Surrey, KT18 5AL.
Integrated Clinical Oncology Network UK Ltd, a company registered in England and Wales under company number 15358341 whose registered office is at Suite 1, 7th Floor 50 Broadway, London, United Kingdom, SW1H 0DB. ICON is registered with the Information Commissioners Office, registration number ZB753412.
When we directly provide you with treatment or services, we act as data controller in relation to your information (which means we decide what information we collect and how it is used).
When we provide you with treatment or services in collaboration with your GP, or another health professional we may act as a joint controller for your information (which means CCL, your GP and/or the other health professional(s) will decide together how your information is used).
2. Contact details
If you have any questions about this privacy notice or the way that we use information, please get in touch using the following details:
FAO: Icon Data Protection Officer
Email address: nicola.palmer@icon.team
Postal address: Swiatek Suite, Boutique Workplace Company’s ‘Old Town Hall’, 4 Queen’s Rd, London SW19 8YB
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for Data Protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us or if you would like to opt-out of any services we provide.
Icon provides links to other websites that are not under our control. While we only link to sites that we believe offer credible information, we cannot guarantee this information is correct, up-to-date or evidence-based. Icon is not responsible for the contents of any linked website, or any link contained in a linked website, or any changes or updates to such websites. Please review the privacy notices on the third party website for further information.
These links are provided to help guide you to information we believe may be relevant to your needs and of interest.
3. The information we collect about you
Personal data means any information which does (or could be used to) to identify a living person either directly or indirectly.
We have grouped together the types of personal data that we collect and where we receive it from below. This includes any special category information (e.g. medical and health information, race or ethnic origin, religious or philosophical beliefs, trade union membership, political opinions, sex life or sexual orientation, genetic or biometric information) that we may collect from you. Please note, this is not an exhaustive list but gives you an indication of the types of personal data we collect.
Type of Personal Data | Received from |
Identity Data – name, title, date of birth, NHS number, gender or pro-noun, nationality | you |
other health care provider (e.g. GP) | |
Financial Data – bank details, billing address, employer, private healthcare and insurance details | you |
Contact Data – home address, telephone numbers, personal email address. It also includes any contact details provided to us relating to your family or preferred contact, next of kin, your private healthcare insurer and your registered GP | you |
other health care provider (e.g. GP) | |
Health Data – all relevant medical information (including past, current and family health conditions, test results, treatments, procedures and medical advice), family medical history, current lifestyle and activities, clinical observations, scans, test results and medical reports, your medication and any associated side effects or allergies, incident and injury details | you |
other health care provider (e.g. GP) | |
Feedback – information and responses you provide when completing surveys and questionnaires | you |
Marketing and communications - Data such as marketing and communication preferences | you |
Photo and Image Data – images, scans, videos, CCTV and audio (e.g., video calls) | you |
other health care provider (e.g. GP) | |
external security providers | |
Sensitive Data (other than health data) – your ethnicity and religion | you |
Technical Data – internet protocol (IP) address, browser type and version, time zone setting and generic location, browser plug-in types and versions, operating systems, and platform on the devices you use to access CCL Group systems | you (via cookies and similar technologies) |
You are not obligated to disclose your personal data to us. However, if you do not provide the information requested, we may not be able to provide you with the best possible health care or meet the expectations you may have of us as care providers.
In some cases, we will ask you to specifically consent to any collection, use or disclosure of your personal data.
We may anonymise the personal data we collect (so it can no longer identify you as an individual) and then combine it with other anonymous information, so it becomes aggregated data.
Aggregated data helps us identify trends and improve clinical treatment (e.g., by understanding further who uses our services and assessing our services in research projects). Data protection law does not govern the use of anonymous data and the various rights described below do not apply to it.
4. Information we collect about other people
You may provide us with information about someone other than yourself (i.e., next of kin or authorised signatory including where a power of attorney is in place).
When you share someone else’s information with us, you will:
confirm that you have asked that person for their permission (consent) to share their information with us;
confirm that you have explained to that person why their information is being shared with us (i.e., as your next of kin contact or authorised signatory);
confirm that person provides their permission (consent) for us to process their information in line with this privacy notice;
ensure that person is aware of how to contact us.
5. How we use your information
CCL is required to identify a GDPR legal justification (also known as a lawful basis) for collecting and using your personal data. There are six legal justifications which organisations can rely on. The most relevant of these to us are where we use your personal data to:
do something that you have given your consent for;
perform our obligations under a contract with you for the provision of services;
comply with a legal obligation that we have;
pursue our legitimate interests (our justifiable business aims) but only if those interests are not outweighed by your other rights and freedoms (e.g., your right to privacy); and
to protect yours or another person’s vital interests in emergency situations (e.g., disclose medical information to a paramedic, inform your next of kin contact)
The table below sets out examples of the lawful basis we rely on when we use your personal data (and the personal data of your nominated contacts or authorised signatory who can sign for your medication). Please note this is not an exhaustive list.
Purposes | Justification |
To provide treatment and administer medication | Contract to provide services |
Vital Interests | |
To help inform decisions about your care and treatment | Contract to provide services |
To work effectively with other organisations and individuals who may be involved in your care | Necessary for our legitimate interests (to work with relevant parties to aid our care for you |
To review the circumstances of specific incidents, complaints, or queries. | Legal obligation |
Legitimate interests (necessary to improve and optimise our practices) | |
To process financial matters, such as managing invoices, payments, fees, charges & collecting and recovering money owed to us | Contract to provide services |
Necessary for our legitimate interests (to recover debts due to us) | |
Reporting specific incidents to regulatory authorities such as the Care Quality Commission, Health and Safety Executive, NHS England and Improvement, and Public Health England. | Legal obligation |
Reporting specific incidents to our insurers | Legitimate interests (necessary to engage the cover arranged under our insurance policies and to maintain appropriate insurance cover in relation to our activities) |
To communicate with medical defence organisations, insurers, medical experts or lawyers for anticipated or existing legal proceedings | Legitimate interests (necessary to defend legal claims) |
To administer our business, including administration, finance, data analysis, testing, system maintenance, support, reporting and hosting of data | Legitimate interests (necessary to manage our company) |
To trial new applications and technology that would improve our ability to provide our services | Legitimate interests (necessary to improve and optimise the provision of our services) |
To carry out research by assessing the provision of our services and the outcome of medication and/or treatment | Legitimate interests (necessary to improve the provision of our services and clinical treatment) |
Processing the data of your authorised signatory to enable someone else to sign for your treatment and/or medication | Consent |
Processing the data of your nominated next of kin contact(s) so that we can communicate with them if appropriate | Consent |
To share information with you about our products and services which may interest you (you will always be given the option to opt-out of any marketing communication sent by Icon Group) | Consent |
To allow you to access and use our website, for the improvement and maintenance of our website, to recognise you when you return to our website and to evaluate how you use our website | Legitimate interests (necessary for the purposes of our legitimate interests to operate our website) |
Consent (cookies) | |
For medical students to take part in placements at CCL or the Icon Group and to access your records for educational purposes. | Legitimate interests (necessary for the education of medical students) |
To monitor our premises for health and safety and crime prevention purposes via the use of CCTV | Legitimate interests (to ensure our premises are safe). |
6. Who we share your information with
We will share your personal data with authorised third parties. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. Additionally, we may be required by law to share your personal data.
The following is an indication of the third parties we may share your personal information with:
Icon Group personnel and facilities: Icon group employees (or other types of workers) who have contractual obligations to maintain the confidentiality of your personal data. Some examples are; medical and care professionals from other Icon facilities, Icon’s IT teams, HR teams, Marketing teams and Legal teams.
Joint Controllers and other health professionals: where you are referred to us by a GP or another hospital, your GP typically retains overall responsibility for your care. We always have a contract in place with the referring GP or hospital containing confidentiality and data protection obligations. We may also share personal data with other health professionals, such as a consultant, a doctor, other healthcare facilities or laboratory staff for a referral or for undertaking tests on any samples taken during your appointment.
Your employer or insurers: to the extent required to ensure that you can obtain the appropriate cover for your care. Your employer or insurer will obtain the relevant consent from you so that we can share your medical reports, invoices and information with them.
Regulatory authorities: such as; the Care Quality Commission, Care Inspectorate, Regulation and Quality Improvement Authority (RQIA), NHS England and Improvement, Public Health England, and the Health and Safety Executive.
HM Revenue & Customs, regulators and other Authorities who require reporting of processing activities in certain circumstances.
CCL’s professional advisers, such as our legal advisors, where we require specialist advice.
Corporate Transactions, we may transfer any of the information we have about you to proceed with the consideration, negotiation, or completion of a sale or transfer of all or a portion of our business or assets to a third party, such as in the event of a merger, acquisition or other disposition, or in connection with a bankruptcy reorganisation, dissolution, or liquidation.
CCL’s insurers: to the extent necessary to ensure that CCL can engage the cover arranged under its insurance policies and maintain appropriate cover in relation to our activities.
To enforce or apply our Terms of Service or other agreements or to protect our business (including with other companies and organisations for the purposes of fraud protection and credit risk reduction),
To any competent law enforcement body, regulatory, government agency, court, prison or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person.
Certain suppliers: such as IT technical services and support, data hosting providers, CRM providers, payment service providers (for processing your payment), billing/invoice support providers, alarm and CCTV providers, third party pharmacies (for processing your prescription) and couriers (e.g. where we have collected samples during your appointment and we transport them to a laboratory to be tested).
Relatives, guardian, close friends, next of kin, Power of Attorney, advocate or legal representative: In certain circumstances, CCL may provide information about your condition to your next of kin, where you are incapable of giving consent or cannot communicate the consent. CCL will disclose your personal data where it is satisfied that the disclosure is necessary to provide care or treatment to you or for compassionate reasons, unless you inform us that you do not wish CCL to disclose your personal data to any such person. Where you do not have capacity, CCL will disclose information about your health to a person exercising your power of attorney under an enduring power of attorney or advance care directive.
Students, medical, nursing, allied health disciplines: as part of their placement, students may access patient health records of treatment. All students undertaking placement with CCL sign a confidentiality agreement.
To any other person with your consent to the disclosure.
If we are asked to provide personal data in response to a court order or legal request (e.g., from the police), we would seek legal advice before disclosing any information and carefully consider the impact on your rights when providing a response.
7. Where your information is located or transferred to
When we share personal data within the Icon Group or with third parties (as described above), that may involve your personal data being shared outside of the UK, including to Australia (where the Icon Group is headquartered).
We will only transfer information outside of the UK where we have a valid legal mechanism in place (to make sure that your personal data is guaranteed a level of protection, regardless of where in the world it is located), which may include the following:
ensuring that the country in which your personal data will be processed has been deemed “adequate” by the relevant UK authorities under Article 45 of the UK GDPR; or
including the EU Standard Contractual Clauses (SCCs) and UK Addendum or the UK International Data Transfer Agreement (IDTA) approved by relevant supervisory authorities for transferring personal data outside the UK, into our contracts with other members of the Icon Group or third parties (as per under Article 46(2) of the UK & EU GDPR).
Should the international data transfer requirements change, we will review the obligations and amend this notice as appropriate. Please contact our DPO for further information in this respect.
8. How we keep your information safe
We take the security of your information very seriously. We have in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have policies and procedures in place which are regularly reviewed and updated to ensure staff understand their responsibilities towards protecting personal data and we ensure that our staff regularly undertake data protection training. We have in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. We have appointed a Data Protection Officer (DPO), a Caldicott Guardian, and a Senior Information Risk Owner (SIRO), along with designated senior personnel, who collectively hold formal responsibility for overseeing data protection compliance, information governance, and the safeguarding of information.
9. How long we keep your information
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including to comply with our legal obligations in respect of the retention of records. CCL will destroy or permanently de-identify any of your information which is in its possession or control and which is no longer needed for the purpose for which it was collected, unless otherwise required by law to be retained.
To decide how long to keep personal data (also known as its retention period), CCL considers the volume, nature, and sensitivity of the personal data, the potential risk of harm to you if an incident were to happen, whether we require the personal data to achieve the purposes we have identified or whether we can achieve those purposes through other means (e.g., by using aggregated data instead), and any applicable legal requirements.
10. Your legal rights
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
Right to be informed by the provision of a privacy notice when your personal information is processed.
Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request rectification of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
Right to object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you.
Request the transfer of your personal information to another party.
Automated decision making, including profiling We do not envisage that we will conduct any automated processing including profiling, however we will inform you if this changes.
Generally, you will not have to pay a fee to exercise any of your legal rights. However, we are entitled to charge a reasonable fee if any request is clearly unfounded, repetitive or excessive. We can also refuse to comply with an unfounded or excessive request. We may need to request information from you to confirm your identity, in order to make sure that personal data is not disclosed to someone who is not entitled to have it. We may also need to ask you for additional information to help us respond to your request.
We endeavour to respond to your request within one month but, if the request is very complex or if you have made a number of requests, we are legally able to extend the request by an additional two months. In such circumstances, we will explain to you why it will take longer to respond and we will keep you updated.
Where we act as a joint data controller (e.g. with your GP), we may inform the other organisation that acts with us that you have made a request. Depending on what you have asked for, it may be more appropriate for the other organisation to respond to you instead of CCL. We will always let you know what our approach will be. We will also work collaboratively with the joint data controller in respect of any complaints or enquiries from the regulator.
Please contact our DPO to exercise any of your rights.
Complaints:
We would encourage you to contact us, in the first instance, if you are unhappy with any aspect of the way in which we process your personal data. You can get in touch with our DPO using the details provided above.
You can bring Data Protection complaints in writing or verbally, this can be through inbound contact to us (such as email, telephone) or via other means of contact, such as social media or online via our website. We have a procedure for responding to Data Protection complaints and we can provide a complaint form should this be required.
If you are not satisfied with the outcome of your complaint, you have the right to refer such matters to the ICO (www.ico.org.uk). It is worth noting the ICO expect individuals to exhaust the complaints process internally before referring complaints to them.
NHS NATIONAL DATA OPT-OUT
As part of our commitment to transparency and data protection, we comply with the NHS National Data Opt-Out policy. This means that you have the right to choose whether your confidential patient information is used for purposes beyond your individual care, such as research and planning. If you do not want your data to be used in this way, you can set your preference at any time via the NHS App or by visiting https://www.nhs.uk/your-nhs-data-matters. Your choice will not affect your individual care and treatment, and you can change your decision whenever you wish.
CHANGE OF PURPOSE
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
In the unlikely event that we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
CHANGES TO THIS PRIVACY NOTICE
From time to time, we may revise this Privacy Notice and any such changes will be reflected on this page.
Revision History | |||
No | Details | Date | Author |
V1.1 | DPO Review | 06/04/2026 | DPO |