To view our Patient Privacy Notice, please click here.
This notice tells you how we look after your personal data if you are one of our customers, contractors, or suppliers (or a prospective customer, contractor or supplier). When we refer to customers, we include within that contacts at organisations who refer patients to us, and other persons who may be on our contacts list.
It sets out what information we collect about you, what we use it for, and who we share it with. It also explains your rights and what to do if you have any concerns.
We may sometimes need to update this notice to reflect any changes to the way companies within the Icon Group manage their operations, or to comply with new legal requirements. We will notify you of any important changes before they take effect, and the latest version is always available on www.iconcancercentre.co.uk
1. Who we are and other important information
Cancer Centre London (“CCL“) provides services and treatment for patients for a range of cancers and conditions at our centre based in Wimbledon, south-west London.
CCL is operated by Cancer Centre London LLP, which is a group company of Integrated Clinical Oncology Network UK Ltd (“Icon“) and the wider Icon group of companies (“Icon Group“). Icon Group employees carry out a number of functions to support CCL such as marketing, IT, Finance Information Governance, HR and legal support.
For the matters relevant to this privacy notice CCL or Icon are the controllers of your information. This means CCL or Icon will decide what information is collected and how it is used (based on the information that you share with us). The full details of CCL and Icon are set out below:
- Cancer Centre London LLP, a limited liability partnership incorporated in England and Wales with registered number OC352271 whose registered office is at Epsom Gateway, Ashley Avenue, Epsom, Surrey, KT18 5AL.
- Integrated Clinical Oncology Network UK Ltd, a company incorporated in England and Wales with registered number 15358341 whose registered office is at Suite 1, 7th Floor 50 Broadway, London, United Kingdom, SW1H 0DB. Icon is registered with the Information Commissioners Officer, registration number ZB753412.
2. How you can contact us
If you have any questions about this privacy notice or the way that we use information, please get in touch using the following details:
FAO: Icon Group Data Protection Officer
Email address: [email protected]
Postal address: Swiatek Suite, Boutique Workplace Company’s ‘Old Town Hall’, 4 Queen’s Rd, London SW19 8YB
3. The information we collect about you
Personal data means any information which does (or could be used to) identify a living person either directly or indirectly. This information may be collected in a variety of ways, for example, when you send us emails and other correspondence, when you sign and return any documentation to us and when you visit our premises.
We have grouped together the types of personal data that we collect and where we receive it from below:
| Type of Personal Data | Received from |
|---|---|
| Identity Data – name, title, professional ID numbers, identity documents (including copies of passports and insurance certificates of currency, where required), emergency contact details |
|
| Contact Data – work address, work telephone numbers, work email address |
|
| Employment and Qualification Data – details of your employer, your job role, position and/or job title, area of employment (e.g. marketing, sales, procurement), area of medical speciality and sub-specialisation, training qualifications and insurances |
|
| Financial Data — Bank account details, payment records and tax status information |
|
| Location Data – your place of work, device location if you log into our systems remotely |
|
| Feedback and communications – information and responses you provide when completing surveys and questionnaires, and records of your communications with us |
|
| Photo and Image Data – images, videos, and audio (e.g., video calls) |
|
| Profile Data – username, password, chat logs, audit trail of systems used, and documents accessed and downloaded |
|
| Sensitive Data – any incident or injury records, information you choose to provide as part of our diversity or other questionnaires / surveys |
|
| Technical Data – internet protocol (IP) address, browser type and version, time zone setting and generic location, browser plug-in types and versions, operating systems, and platform on the devices you use to access Icon Group systems |
|
We do not typically collect any special category information (e.g. medical information, race or ethnic origin, religion) unless we have your consent to do so or in limited circumstances where we have a legal obligation to collect it (e.g. recording medical information in the event of an incident on our premises).
In certain circumstances it will be necessary for you to provide us with your Personal Data, to enable us to manage our operations and to comply with our statutory obligations. In other circumstances, it will be at your discretion whether you provide us with Personal Data or not. However, failure to supply any of the Personal Data we request may mean that we are unable to fulfil a contract we may have in place with you or your employer.
We make every effort to maintain the accuracy and completeness of all Personal Data which we store and to ensure your Personal Data is up to date. However, you can assist us with this considerably by promptly contacting us if there are any changes to your Personal Data, or if you become aware that we have inaccurate Personal Data relating to you.
Your right to withdraw consent
Where our processing is based on you having provided consent to the collection, processing and transfer of your Personal Data for a specific purpose, you also have the right to withdraw your consent for that specific processing at any time.
To withdraw your consent, please contact us at the email address set out in section 2 above. Where these circumstances apply, once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
4. How we use your information
We are required to identify a legal justification (also known as a lawful basis) for collecting and using your personal data. There are six legal justifications which organisations can rely on. The most relevant of these to us are where we use your personal data to:
- to enter into and perform our contract with you;
- do something that you have given your consent for us to do;
- pursue our legitimate interests (our justifiable business aims) but only if those interests are not outweighed by your other rights and freedoms (e.g., your right to privacy);
- comply with a legal obligation that we have;
- (in very rare circumstances) to protect yours or another person’s vital interests (e.g., disclose medical information to an attending paramedic, inform your nominated emergency contact).
The table below sets out the lawful basis we rely on when we use your personal data. If we intend to use your personal data for a new reason that is not listed in the table, we will update our privacy notice and notify you.
| Purposes | Justification |
|---|---|
| To fulfil our obligations under the contract we have entered into with you and/or to manage our relationship with you, including to communicate with you, to provide to you and to receive from you, requested products or services and to invoice you or pay you for services. | Performance of contract |
| To administer our company records, including managing statutory and non-statutory registers and record keeping. | Processing is necessary to comply with a legal obligation on us.
Processing is necessary for the purposes of our legitimate interests to run our business. |
| Asking you to participate in surveys and other types of feedback | Consent |
| Carrying out quality audits | Processing is necessary to comply with a legal obligation on us
Legitimate interests (necessary to improve and optimise our practices) |
| Monitoring physical presence at premises (e.g., sign in at reception, CCTV footage) | Legitimate interests (necessary to monitor physical building security, to investigate allegations of inappropriate behaviour) |
| To contact you (or an emergency contact) in the case of an emergency. | Processing is necessary to comply with a legal obligation on us
Processing is necessary in order to protect your or another person’s vital interests Legitimate interests (to ensure the safety of our workforce and the public) |
| To review the circumstances of specific incidents, complaints, or queries. | Legitimate interests (necessary to improve and optimise our practices) |
| Reporting specific incidents to regulatory authorities such as the Health and Safety Executive and Public Health England. | Legal obligation |
| Reporting specific incidents to our insurers | Legitimate interests (necessary to engage the cover arranged under our insurance policies and to maintain appropriate insurance cover in relation to our activities) |
| Dealing with legal disputes involving you or our staff | Legitimate interests (necessary to defend legal claims) |
| In connection with legal claims relating to compliance, regulatory, auditing and investigative processes (including disclosure of Personal Data in connection with legal process or litigation and investigating any claims in relation to incidents with our vehicles). | Processing is necessary to comply with a legal obligation on us |
5. Who we share your information with
We share (or may share) your personal data with:
- Icon Group personnel: Icon Group employees (or other types of workers) who have contractual obligations to maintain the confidentiality of your personal data. Some examples of this may be our Finance, Legal and IT teams.
- Service Providers: third party organisations that help us fulfil our contract with you and help manage Icon Group infrastructure. We ensure these organisations only have access to the information required to provide the support we use them for, and we will always agree a contract with such third parties containing appropriate and relevant confidentiality and data protection obligations.
- Regulatory authorities: government entities, including regulatory agencies and law enforcement, such as Care Quality Commission, Public Health England, and the Health and Safety Executive.
- Icon Group professional advisers: such as our legal advisors where we require specialist advice.
- Any actual or potential buyer of the business: Any such entities will be subject to appropriate and relevant data protection and confidentiality provisions.
- Our insurers: to the extent necessary to ensure that Icon and its subsidiaries can engage the cover arranged under its insurance policies and maintain appropriate cover in relation to our activities.
If a company within the Icon Group was asked to provide personal data in response to a court order or legal request (e.g., from the police), we would seek legal advice before disclosing any information and carefully consider the impact on your rights when providing a response.
6. Where your information is located or transferred to
When we share personal data within the Icon Group or with third parties (as described above), that may involve your personal data being shared outside of the UK, including to Australia (where the Icon Group is headquartered).
We will only transfer information outside of the UK where we have a valid legal mechanism in place (to make sure that your personal data is guaranteed a level of protection, regardless of where in the world it is located), which may include the following:
- ensuring that the country in which your personal data will be processed has been deemed “adequate” by the relevant UK authorities under Article 45 of the UK GDPR; or
- including the standard contractual data protection clauses approved by relevant authorities in the UK for transferring personal data outside the UK, into our contracts with other members of the Icon Group or third parties (these are the clauses approved under Article 46(2) of the UK GDPR).
7. How we keep your information safe
We have implemented security measures to prevent your personal data from being accidentally or illegally lost, used or accessed by those who do not have permission. These measures include:
- appropriate security on storage of paper records including use of document shredding and security bins;
- authentication and password controls for electronic records;
- use of our managed devices and services (e.g. iPads, laptops, email) for transfer of data;
- periodic audits and risk assessments to ensure appropriate availability, integrity and confidentiality of personal data managed through our systems;
- access controls and user authentication;
- internal IT and network security;
- regular testing and review of our security measures;
- staff policies and training;
- incident and breach reporting processes;
- business continuity and disaster recovery processes; and
- ensuring that third parties are bound by confidentiality and are subject to terms that ensure compliance with the GDPR.
If there is an incident which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law).
If you have any concerns about the security of your data shared with us, please notify our Data Protection Officer at this email address: [email protected].mailto:[email protected]
8. How long we keep your information
Where we act as the controller, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including to comply with our legal obligations in respect of the retention of records.
We keep information related to our contracts with our customers for 6 years after the contract terminates
To decide how long to keep personal data (also known as its retention period), Icon Group and its subsidiaries considers the volume, nature, and sensitivity of the personal data, the potential risk of harm to you if an incident were to happen, whether we require the personal data to achieve the purposes we have identified or whether we can achieve those purposes through other means (e.g., by using aggregated data instead), and any applicable legal requirements.
In some circumstances we may anonymise your Personal Data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
9. Your legal rights
You have specific legal rights in relation to your personal data. If you wish to exercise any of these rights, please email our Data Protection Officer: [email protected]mailto:[email protected]. Please note that these rights are not absolute and there are certain exemptions to them; if any of those apply to your request to exercise your rights, we will let you know.
It is usually free for you exercise your rights and we aim to respond within one month (although we may ask you if we can extend this deadline up to a maximum of two months if your request is particularly complex or we receive multiple requests at once).
We can decide not to take any action in relation to a request where we have been unable to confirm your identity (this is one of our security processes to make sure we keep information safe) or if we feel the request is unfounded or excessive. If this happens, we will always inform you in writing. We may charge a fee where we decide to proceed with a request that we believe is unfounded or excessive.