Home Privacy Policy – Patients

Cancer Centre London 

Privacy Notice – Patients 

To view the Customers, Contractors, Suppliers Privacy Notice, please click here.

This notice tells you how we look after your personal data if you are a patient of Cancer Centre London (“CCL”).  

It sets out what information we collect about you, what we use it for and who we share it with. It also explains your rights and what to do if you have any concerns. 

We may sometimes need to update this notice, to reflect any changes to the way we manage our day-to-day activities, or to comply with new legal requirements. We will notify you of any important changes before they take effect, and the latest version is always available on our website iconcancercentre.co.uk.

1. Who we are and other important information 

CCL provides services and treatment for patients for a range of cancers and conditions at our centre based in Wimbledon, south-west London. You can find out more about the range of services we provide at iconcancercentre.co.uk [insert link]. 

CCL is operated by Cancer Centre London LLP, which is a group company of Integrated Clinical Oncology Network UK Ltd (“Icon”) and the wider Icon group of companies (“Icon Group”). Icon Group employees carry out a number of functions to support CCL such as marketing, IT, Finance Information Governance, HR, and legal support. Details for Cancer Centre London LLP and Icon are set out below. 

  • Cancer Centre London LLP, a company registered in England and Wales under company number OC352271 whose registered office is at Epsom Gateway, Ashley Avenue, Epsom, Surrey, KT18 5AL. 
  • Integrated Clinical Oncology Network UK Ltd, a company registered in England and Wales under company number 15358341 whose registered office is at Suite 1, 7th Floor 50 Broadway, London, United Kingdom, SW1H 0DB. QPHL is registered with the Information Commissioners Office, registration number ZB753412. 

When we directly provide you with treatment or services, we act as controller in relation to your information (which means we decide what information we collect and how it is used). 

When we provide you with treatment or services in collaboration with your GP, or another health professional we may act as the joint controller for your information (which means CCL, your GP and/or the other health professional(s) will decide together how your information is used).  

 2. Contact details

If you have any questions about this privacy notice or the way that we use information, please get in touch using the following details: 

FAO: Icon Data Protection Officer  

Email address: [email protected]

Postal address: Swiatek Suite, Boutique Workplace Company’s ‘Old Town Hall’, 4 Queen’s Rd, London SW19 8YB

3. The information we collect about you

Personal data means any information which does (or could be used to) to identify a living person either directly or indirectly.  

We have grouped together the types of personal data that we collect and where we receive it from below. This includes any special category information (e.g. medical information, race or ethnic origin, religion) that we may collect from you.  

Type of Personal Data Received from
Identity Data – name, title, date of birth, NHS number, gender, next of kin contact and their relationship to you
  • you
  • other health care provider (e.g. GP)
Financial Data – bank details, billing address, employer, private healthcare and insurance details
  • you
Contact Data – home address, telephone numbers, personal email address
  • you
  • other health care provider (e.g. GP)
Health Data – relevant medical history (including past, current and family health conditions, test results, treatments, procedures and medical advice), family medical history, current lifestyle and activities, clinical observations, scans, test results and medical reports, private healthcare and GP details, and incident and injury details
  • you
  • other health care provider (e.g. GP)
Feedback – information and responses you provide when completing surveys and questionnaires
  • you
Photo and Image Data – images, videos and audio (e.g., video calls)
  • you
  • other health care provider (e.g. GP)
  • external security providers
Sensitive Data (other than health data) – your ethnicity
  • you
Technical Data – internet protocol (IP) address, browser type and version, time zone setting and generic location, browser plug-in types and versions, operating systems, and platform on the devices you use to access CCL Group systems
  • you (via cookies and similar technologies)

 

You are not obligated to disclose your personal data to us. However, if you do not provide the information requested, we may not be able to provide you with the best possible health care or meet the expectations you may have of us as care providers. 

In some cases, we will ask you to specifically consent to any collection, use or disclosure of your personal data.  

We may anonymise the personal data we collect (so it can no longer identify you as an individual) and then combine it with other anonymous information, so it becomes aggregated data 

Aggregated data helps us identify trends and improve clinical treatment (e.g., by understanding further who uses our services and assessing our services in research projects).  Data protection law does not govern the use of aggregated data and the various rights described below do not apply to it. 

4. Information we collect about other people

You may provide us with information about someone other than yourself (i.e., next of kin or authorised signatory including where a power of attorney is in place).  

When you share someone else’s information with us, you will:  

  • confirm that you have asked that person for their permission (consent) to share their information with us; 
  • confirm that you have explained to that person why their information is being shared with us (i.e., as your next of kin contact or authorised signatory); 
  • confirm that person provides their permission (consent) for us to process their information in line with this privacy notice;  
  • ensure that person is aware of how to contact us.

5. How we use your information

CCL is required to identify a legal justification (also known as a lawful basis) for collecting and using your personal data. There are six legal justifications which organisations can rely on. The most relevant of these to us are where we use your personal data to: 

  • do something that you have given your consent for; 
  • perform our obligations under a contract with you for the provision of services; 
  • comply with a legal obligation that we have;  
  • pursue our legitimate interests (our justifiable business aims) but only if those interests are not outweighed by your other rights and freedoms (e.g., your right to privacy); and 
  • to protect yours or another person’s vital interests (e.g., disclose medical information to a paramedic, inform your next of kin contact) 

The table below sets out the lawful basis we rely on when we use your personal data (and the personal data of your nominated contacts or authorised signatory who can sign for your medication).  

If we intend to use your personal data for a new reason that is not listed in the table, we will update our privacy notice and notify you. 

Purposes Justification
To review the circumstances of specific incidents, complaints, or queries. Legal obligation
Legitimate interests (necessary to improve and optimise our practices)
Reporting specific incidents to regulatory authorities such as the Care Quality Commission, Health and Safety Executive, NHS England and Improvement, and Public Health England. Legal obligation
Reporting specific incidents to our insurers Legitimate interests (necessary to engage the cover arranged under our insurance policies and to maintain appropriate insurance cover in relation to our activities)
To communicate with medical defence organisations, insurers, medical experts or lawyers for anticipated or existing legal proceedings Legitimate interests (necessary to defend legal claims)
Trialling new applications and technology that would improve our ability to provide our services Legitimate interests (necessary to improve and optimise the provision of our services)
To carry out research by assessing the provision of our services and the outcome of medication and/or treatment Legitimate interests (necessary to improve the provision of our services and clinical treatment)
Processing the data of your authorised signatory to enable someone else to sign for your treatment and/or medication Consent
Processing the data of your nominated next of kin contact(s) so that we can communicate with them if appropriate Consent
To share information with you about our products and services which may interest you (you will always be given the option to opt-out of any marketing communication sent by Icon Group) Legitimate interests (necessary for the purposes of our legitimate interests to carry out marketing)
To allow you to access and use our website, for the improvement and maintenance of our website, to recognise you when you return to our website and to evaluate how you use our website Legitimate interests (necessary for the purposes of our legitimate interests to operate our website)
For medical students to take part in placements at CCL or the Icon Group and to access your records for educational purposes. Legitimate interests (necessary for the education of medical students)

6. Who we share your information with

We share (or may share) your personal data with: 

  • Icon Group personnel and facilities: Icon group employees (or other types of workers) who have contractual obligations to maintain the confidentiality of your personal data. Some examples are medical and care professionals from other Icon facilities, Icon’s IT teams, marketing teams and legal teams.  
  • Joint Controllers and other health professionals: where you are referred to us by a GP or another hospital, your GP typically retains overall responsibility for your care. We always have a contract in place with the referring GP or hospital containing confidentiality and data protection obligations. We may also share personal data with other health professionals, such as a consultant, other healthcare facilities or laboratory staff for a referral or for undertaking tests on any samples taken during your appointment.  
  • Your employer or insurers: to the extent required to ensure that you can obtain the appropriate cover for your care. 
  • Regulatory authorities: such as the Care Quality Commission, Care Inspectorate , Regulation and Quality Improvement Authority (RQIA), NHS England and Improvement, Public Health England, and the Health and Safety Executive. 
  • CCL’s professional advisers such as our legal advisors where we require specialist advice  
  • CCL’s insurers: to the extent necessary to ensure that CCL can engage the cover arranged under its insurance policies and maintain appropriate cover in relation to our activities.   
  • Certain suppliers: such as IT technical services and support, data hosting providers, payment service providers (for processing your payment), third party pharmacies (for processing your prescription) and couriers (e.g. where we have collected samples during your appointment and we transport them to a laboratory to be tested).  
  • Relatives, guardian, close friends or legal representative: In certain circumstances, CCL may provide information about your condition to your next of kin, where you are incapable of giving consent or cannot communicate the consent. CCL will disclose your personal data where it is satisfied that the disclosure is necessary to provide care or treatment to you or for compassionate reasons, unless you inform us that you do not wish CCL to disclose your personal data to any such person. Where you do not have capacity, CCL will disclose information about your health to a person exercising your power of attorney under an enduring power of attorney or advance care directive. 
  • Students, medical, nursing, allied health disciplines: as part of their placement, students may access patient health records of treatment. All students undertaking placement with CCL sign a confidentiality agreement. 

If CCL were asked to provide personal data in response to a court order or legal request (e.g., from the police), we would seek legal advice before disclosing any information and carefully consider the impact on your rights when providing a response. 

7. Where your information is located or transferred to

When we share personal data within the Icon Group or with third parties (as described above), that may involve your personal data being shared outside of the UK, including to Australia (where the Icon Group is headquartered).  

We will only transfer information outside of the UK where we have a valid legal mechanism in place (to make sure that your personal data is guaranteed a level of protection, regardless of where in the world it is located), which may include the following: 

  • ensuring that the country in which your personal data will be processed has been deemed “adequate” by the relevant UK authorities under Article 45 of the UK GDPR; or 
  • including the standard contractual data protection clauses approved by relevant authorities in the UK for transferring personal data outside the UK, into our contracts with other members of the Icon Group or third parties (these are the clauses approved under Article 46(2) of the UK GDPR). 

8. How we keep your information safe

We have implemented security measures to prevent your personal data from being accidentally or illegally lost, used or accessed by those who do not have permission. These measures include: 

  • appropriate security on storage of paper records including use of document shredding and security bins 
  • authentication and password controls for electronic records 
  • use of our managed devices and services (e.g. iPads, laptops, email) for transfer of data 
  • periodic audits and risk assessments to ensure appropriate availability, integrity and confidentiality of personal data managed through our systems 
  • access controls and user authentication 
  • internal IT and network security  
  • regular testing and review of our security measures 
  • staff policies and training 
  • incident and breach reporting processes 
  • business continuity and disaster recovery processes 
  • ensuring that third parties are bound by confidentiality and are subject to terms that ensure compliance with the UK GDPR 

If there is an incident which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law). 

9. How long we keep your information

Where we act as the controller, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including to comply with our legal obligations in respect of the retention of records. CCL will destroy or permanently de-identify any of your information which is in its possession or control and which is no longer needed for the purpose for which it was collected, unless otherwise required by law to be retained. 

To decide how long to keep personal data (also known as its retention period), CCL considers the volume, nature, and sensitivity of the personal data, the potential risk of harm to you if an incident were to happen, whether we require the personal data to achieve the purposes we have identified or whether we can achieve those purposes through other means (e.g., by using aggregated data instead), and any applicable legal requirements. 

10. Your legal rights

You have specific legal rights in relation to your personal data. If you wish to exercise any of these rights, please email our Data Protection Officer: [email protected]. Please note that these rights are not absolute and there are certain exemptions to them; if any of those apply to your request to exercise your rights, we will let you know.  

It is usually free for you exercise your rights and we aim to respond within one month (although we may ask you if we can extend this deadline up to a maximum of two months if your request is particularly complex or we receive multiple requests at once). 

We can decide not to take any action in relation to a request where we have been unable to confirm your identity (this is one of our security processes to make sure we keep information safe) or if we feel the request is unfounded or excessive. If this happens, we will always inform you in writing. We may charge a fee where we decide to proceed with a request that we believe is unfounded or excessive. 

Where we act as a joint controller (e.g. with your GP), we may inform the other organisation that acts with us that you have made a request. Depending on what you have asked for, it may be more appropriate for the other organisation to respond to you instead of CCL. We will always let you know what our approach will be. 

Where our processing is based on you having provided consent to the collection, processing and transfer of your personal data for a specific purpose, you also have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please email. [email protected]. Where these circumstances apply, once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. 

Where we act as a joint controller for the affected personal data, we notify the other joint controller (e.g. your GP) to arrange between ourselves who will lead the investigation and submit any report to the regulator. 

If you have any concerns about the security of your data shared with CCL, please notify our Data Protection Officer at this email address: [email protected]

Your legal rights

Access: You must be told if your personal data is being used and you can ask for a copy of your personal data as well as information about how we are using it to make sure we are abiding by the law. 

Correction: You can ask us to correct your personal data if it is inaccurate or incomplete. We might need to verify the new information before we make any changes. 

Restriction: You can ask us to restrict how we use your personal data and temporarily limit the way we use it (e.g. whilst you check that the personal data we hold for you is correct). 

Objection: You can object to us using your personal data if you want us to stop using it. We always comply with your request if you ask us to stop sending you marketing communications but in other cases, we decide whether we will continue. If we think there is a good reason for us to keep using the information, we will let you know and explain our decision. 

Portability: You can ask us to send you or another organisation an electronic copy of your personal data. 

Complaints: If you are unhappy with the way we collect and use your personal data, you can complain to the ICO or another relevant supervisory body, but we hope that we can respond to your concerns before it reaches that stage. You should speak to our Data Protection Officer ([email protected]) in the first instance. 

Search

Quick links
Contact us
Contact us