PHIN privacy notice

The Private Healthcare Information Network (‘PHIN’) is committed to protecting and respecting your privacy. Any references to ‘we’, ‘us’ and ‘our’ are references to PHIN. This notice sets out the basis on which any Personal Data we collect will be processed.

For the purposes of the UK GDPR (Retained Regulation (EU) 2016/679), Data Protection Act 2018, the EU General Data Protection Regulations (to the extent that processing occurs outside of the EU or concerns EU residents) (‘GDPR’), PHIN will be the ‘data controller’ for all personal information we determine the means and purpose of processing and has registered with the Information Commissioners Office under registration number ZA026075.

“Personal Data” is defined within the GDPR and for the purposes of this privacy notice to mean any information relating to an identified or identifiable natural, living person.

Visitors to our website

Purpose and legal basis for processing

We collect data on our website usage in order to monitor the performance of our websites (including www.phin.org.uk, and the PHIN Portal), to improve the sites and the services we offer to our users. The legal basis we rely on to process Personal Data is Article 6(1)(f) of the GDPR, which allows us to process Personal Data when it is necessary for the purposes of our legitimate interests. In this case our legitimate interests are to define types of customers for our services, to monitor the performance of our websites and keep the content updated and relevant, to develop our business and to inform our marketing strategy.

What data do we process?

We do not collect any Personal Data consisting of identity data (for example, your name, marital status, title, date of birth or similar data) or contact data (email address, phone numbers etc) through direct interactions with you through our websites, unless you choose to provide such details by contacting us directly e.g. by email. The only exception to this is consultant profile data entered via the PHIN Portal (see the Consultants Providing Private Healthcare Services section of this notice).

Our websites do, however, make limited use of 'cookies' with your approval, to improve your experience of our sites. This means that some Personal Data (including internet protocol (IP) address) “Technical Data1” and usage data, such as the number of visitors to the various parts of our sites (“Usage Data”) will be collected through our websites.

We use Hotjar in order to better understand our users’ needs and to optimise this service and experience. Hotjar is a technology service that helps us better understand our users experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. For further details, please see Hotjar’s privacy policy here.

If your internet software is configured to not allow cookies, you may experience some difficulty in using our search and compare features.

Why we need this data and what we do with it

Analytics

When you visit www.phin.org.uk or the PHIN Portal, we use a third-party service, Google Analytics (based outside of the EU), to collect standard internet log data and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of our sites.

This data is only processed in a way that does not directly identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our websites.

Personal Data

Google Analytics is a web analysis service provided by Google. Google may process this data in the USA. We rely on the Standard Contractual Clauses as approved by the EU Commission and ICO (respectively) to transfer this data to Google servers which are located in the US. See Google's privacy policy here for more information. Neither the PHIN website or PHIN Portal carry any advertising materials.

Cookies

We use cookies to provide a better experience browsing our websites, including for interactive features as well as to analyse our traffic.

The non-essential cookies utilised for the functions set out above are only enabled with your consent, which you can provide or withhold when entering the website for the first time, or at anytime after by using the link to the cookie policy.

Cookie Name/Type	Purpose	Provider	Expiry
cookie-decision-recorded-v2	To record whether a user has registered a decision about cookies, so the website can decide whether prompt a user for Cookie decision. This information is not sent to the server.	PHIN	Persistent
list-view	To save the users decision on whether they want search results to be presented as a list or as tiles. This information is not sent to the server.	PHIN	Persistent
search-session	Stored the user's consultants or hospitals that they have added to their list. ("My List")	PHIN	Persistent
search-session-server-id	An id which can be used to retrieve a user's list of hospital and consultants ("My List") from the server. This is to allow a user to share their list.	PHIN	Persistent
user-allows-tracking-v2	Stores whether the user has opted into Google Analytics, triggering Google's tracking code.	PHIN	Persistent
ai_user	To track errors that occur in the Browser and report them to Microsoft Azure Application Insights.	Microsoft Azure	1 day
ai_session	To track errors that occur in the Browser and report them to Microsoft Azure Application Insights.	Microsoft Azure	1 day
AI_buffer	To track errors that occur in the Browser and report them to Microsoft Azure Application Insights.	Microsoft Azure	Session
AI_sentBuffer	To track errors that occur in the Browser and report them to Microsoft Azure Application Insights.	Microsoft Azure	Session
_ga	Used to distinguish users.	Google Analytics (GA4 & Universal)	2 years
_gid	Used to distinguish users.	Google Analytics (GA4 & Universal)	24 hours
_ga_JXDG5WLELS	Used to persist session state.	Google Analytics (GA4 )	2 years
_dc_gtm_2	Used to throttle request rate.	Google Analytics (Universal)	1 minute
_gac_2	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out. Learn more.	Google Analytics (Universal)	90 days
_hjid	Hotjar cookie that is set when the customer first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behaviour in subsequent visits to the same site will be attributed to the same user ID.	HotJar	365 days
_hjFirstSeen	This is set to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.	HotJar	Session
_hjIncludedInPageviewSample	This cookie is set to let Hotjar know whether that user is included in the data sampling defined by your site's pageview limit.	HotJar	30 minutes
_hjAbsoluteSessionInProgress	This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.	HotJar	30 Minutes
_hjDonePolls	Hotjar cookie that is set once a user completes a survey using the On-site Survey widget. It is used to ensure that the same survey does not reappear if it has already been filled in.	HotJar	365 days

Search Engine

Search queries and results are logged anonymously to help us improve our websites and search functionality. No Personal Data is collected using the search engine on any of our sites.

Security and Performance

We use firewalls to help maintain the security and performance of our websites. The firewalls check that traffic to the sites is behaving as would be expected and will attempt to block traffic that is not using the sites as expected. To provide this service, the system processes site visitors’ IP addresses, which are retained for thirty days.

How long do we keep data we collect?

We retain Personal Data of the nature set out above for a maximum period of 38 months from the date on which such data is collected.

What are your rights?

Where we are processing Personal Data for our legitimate interests as stated above, you have the right to object to our processing of your Personal Data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

Read more about your rights in the 'Your data protection rights' section below.

Do we use any data processors?

Yes, we use a third-party service, Google Analytics (based outside of the EU), to collect standard internet log data and details of visitor behaviour patterns and HotJar to monitor user interaction with our website, please see above for further details.

We use a third-party company to support and manage our firewall.

We use a third-party cloud services provider, based in the UK, to host the www.phin.org.uk website and the PHIN Portal.

Patients who receive private treatment in the UK

Purpose and legal basis for processing

The Private Healthcare Information Network (PHIN) is the independent government mandated source of information on privately funded care in the UK. As the official ‘information organisation’ under the Competition & Markets Authority (CMA) Private Healthcare Market Investigation Order 2014 (as amended), we are responsible for collecting quality and safety data on privately funded healthcare in the UK, and publishing performance measures through our website. We do this in order to help people to choose their care providers. Hospitals providing private care are required by law to send us details of each treatment episode. This will include Personal Data.

Data collected from hospitals about patients’ treatment is vital to producing the important measures of healthcare safety and quality that can be found on our website.

We cannot directly identify you from any of the data we receive or any patient data we process. We do, however, recognise that the data we hold is still personal and confidential.

We want you to be reassured about the Personal Data that we receive; how it is kept safe and how it is used. We are committed to safeguarding the data we receive from hospitals, including Personal Data. Whenever we receive Personal Data, we are legally obliged to use it in accordance with all applicable data protection laws, Read more in the ‘How we maintain data security’ section of this notice.

Under the GDPR, the legal bases for processing this Personal Data are:

• Article 6(1)(c) – compliance with a legal obligation;
• Article 6(1)(e) – necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• Article 9(2)(h) – management of health or social care systems and services;
• Article 9(2)(i) – ensuring high standards of quality and safety of health care.

For more information about these, please visit the ICO website.

What data do we process?

• National Health Service (NHS) number (England/Wales), Community Health Index (CHI) number (Scotland), or Health and Care number (Northern Ireland) or, in the case of patients from outside the UK, a suitable equivalent identifier e.g. passport number;
• Your age;
• Your gender;
• Your ethnicity or race;
• Your diagnosis (what you are receiving treatment for);
• Other data about your state of health;
• The procedure you have undergone;
• The date you came into hospital, and the date you left;
• Your postcode.

NB: For residents of Scotland, the Community Health Index (CHI) Number includes date of birth.

Why we need this data and what we do with it

We publish how many patients each hospital and each consultant treat privately, how long they stay in hospital, and how safe and effective the care delivered is, using measures aligned to the NHS. We will publish eleven measures in total as required by the Order. These measures are listed on our website here. We need to know ages, locations and other details because these can affect the complexity of providing care, and we take those factors into account when measuring quality. We also need to use data to be able to identify outcomes related to specific episodes of care.

How long do we keep data we collect?

Data is held securely and although we know which records relate to an individual patient, we never know who the patient is. Only your hospital and consultant will know who you are.

We will retain Personal Data for a maximum of seven years from the end of the year to which it relates to demonstrate compliance with the Order and to enable analysis of long-term trends. Once Personal Data is no longer required it is permanently deleted or anonymised.

What are your rights?

By law, your hospital must share the data listed above with us and we must process this data to comply with the CMA Order. ICO guidance on how this affects data subjects’ rights is available here.

Read more about your rights in the 'Your data protection rights' section below.

Do we use any data processors?

Yes – we use a third-party cloud services provider, based in the UK, to host data in a secure environment.

Do we share your data?

Under specific circumstances, Personal Data may be shared with third parties such as NHS England for the purposes of clearly defined research projects such as the Acute Data Alignment Programme (ADAPt). Further information and details of the supporting transparency notices can be located here.

Consultants providing private healthcare services in the UK

Purpose and legal basis for processing

The Private Healthcare Information Network (PHIN) is the independent government-mandated source of information on privately funded care in the UK. As the official ‘information organisation’ under the Competition & Markets Authority (CMA) Private Healthcare Market Investigation Order 2014 (as amended), we are responsible for collecting quality and safety data on privately funded healthcare in the UK, and publishing performance measures through our website.

Our mandate requires us to work with all hospitals and consultants providing private healthcare across the whole of the UK. That mandate imposes a legal duty on hospitals to submit data on quality and safety and on consultants to submit fee information.

The CMA’s Order is issued under the Enterprise Act 2002 and specifies 11 performance measures for PHIN to publish, by procedure, at both hospital and consultant level.

Under the General Data Protection Regulation (GDPR), our legal basis for processing Personal Data about consultants providing private healthcare services in the UK are:

Note: Each purpose of processing is explained in the following ‘Why we need this data and what we do with it’ section.

• Purpose 1-3: Article 6(1)(c) –compliance with a legal obligation and Article 6(1)(e) - necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• Purpose 4: Article 6(1)(e) –necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• Purpose 5: Article 6(1)(a) –the processing is carried out with your consent.
• Purpose 6: Article 6(1)(f) – legitimate interests of the business not overridden by the rights of the data subject

What data do we process?

To ensure that we publish performance measures for all consultants providing private healthcare services we receive the following data from the GMC.

• Full name;
• Gender;
• GMC number and registration details (Inc. fitness to practice);
• Qualification details;
• Speciality details;
• Email address.

We do not receive any special category data regarding consultant’s with Private Practice. However, the PHIN Portal allows consultants to add additional profile information. Where this includes special category data, the data is processed under Article 9(1)(a) of the GDPR which means that the data is processed with your explicit consent.

We also receive patient activity data from providers assigned to consultants who provided the treatment.

Why we need this data and what we do with it

• Purpose 1: We are required to publish eleven performance measures for all consultants who provide private healthcare services in the UK. The data received from hospital providers directly drives the performance measures we are required to publish. We are also required to publish consultation and procedure fees for these consultants.
• Purpose 2: We will use the contact details registered with the GMC to contact you to inform you of your legal requirements under the Order and details of the quality assurance and sign off process.
• Purpose 3: We operate a portal to provide, prior to publication, secure access to the pseudonymised patient records underpinning the performance measures for quality assurance and validation (subject to terms and conditions of use). The PHIN Portal also enables consultants to submit their fee information. To operate this portal, we issue user accounts to consultants and to other nominated individuals at provider hospitals.
• Purpose 4: Publishing, alongside your private work, your NHS funded workload, in the consultant level performance measures. You can choose to have your NHS activity excluded from your published measures, but this will not affect the processing and publication of your professional profile data or performance measures relating to private patient activity as this is required by the Order.
• Purpose 5: We also offer you the option to expand your professional profile by adding a photograph and other professional details i.e. a short biography, qualifications, clinical interests. This is voluntary and therefore this data is only processed with your consent.
• Purpose 6: Providing non-essential (to differentiate between Purpose 2) informative communications regarding the activities undertaken by PHIN and how to make the best use of the PHIN Portal. These are always issued with an unsubscribe function available.

How long do we keep data we collect?

We will retain professionally Personal Data for as long as you continue to practice and thereafter for seven years. Any data provided to us under your consent, or processed outside of the mandate of the Order will be deleted on your instruction. Once Personal Data is no longer required it is permanently deleted.

What are your rights?

By law, we must process and publish consultant profiles to comply with the CMA Order. Guidance from the Information Commissioners Office (ICO) on how this affects data subjects’ rights is available here.

If you wish to withdraw consent for Personal Data supplied voluntarily i.e. profile pictures and additional profile information beyond what is required by law, you can remove this at any time by logging onto the PHIN portal.

Read more about your rights in the “Your data protection rights” section in this notice.

Do we use any data processors?

Yes – we use a third-party cloud services provider, based in the UK, to host data in a secure environment.

Members & member representatives

This includes representatives from organisations with whom we have a working relationship (Inc. users of our online Portal).

Purpose and legal basis for processing

The Private Healthcare Information Network (PHIN) is the independent government mandated source of information on privately funded care in the UK. As the official ‘information organisation’ under the Competition & Markets Authority (CMA) Private Healthcare Market Investigation Order 2014 (as amended), we are responsible for collecting quality and safety data on privately funded healthcare in the UK, and publishing performance measures through our website.

Our mandate requires us to work with all hospitals and consultants providing private healthcare across the whole of the UK. That mandate imposes a legal duty on hospitals to submit data on quality and safety and on consultants to submit fee information.

The CMA’s Order is issued under the Enterprise Act 2002 and specifies 11 performance measures for PHIN to publish, by procedure, at both hospital and consultant level.

Under the General Data Protection Regulation (GDPR), our legal basis for processing Personal Data in connection with purpose 1-5 is:

• Article 6(1)(c) - compliance with a legal obligation; and;
• Article 6(1)(e) - necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

The legal basis for processing Personal Data in connection with purpose 6 is:

• Article 6(1)(f) - legitimate interests in maintaining our working relationship and updating you and your employer regarding our progress and processes.

Note: Each purpose of processing is explained in the following ‘Why we need this data and what we do with it’ section.

When we collect any information about dietary or access requirements the legal basis we rely on for processing is your consent under article 6(1)(a) of the GDPR. We also need your consent under Article 9(2)(a) as this type of information is classed as special category data.

What data do we process?

We collect the following data:

• Name;
• Email address;
• Telephone number;
• Role or job title;
• Employing organisation name;
• Employing organisation postal address;
• Access and dietary requirements (if attending an event).

Why we need this data and what we do with it

We will only use the Personal Data supplied by providers for the purpose of the collaboration i.e.

• Purpose 1: to collect payment of subscription fees as required under the Order;
• Purpose 2: to set up and provide access to the PHIN Portal to provide, prior to publication, secure access to the pseudonymised patient records underpinning the performance measures for quality assurance and validation (subject to terms and conditions of use). In order to operate this portal, we issue user accounts to nominated individuals at provider hospitals;
• Purpose 3: to set up Secure File Transfer Protocol (SFTP) accounts to send and receive data securely;
• Purpose 4: to maintain our working relationship (Inc. direct contact by phone and email);
• Purpose 5: the administration of meetings and to facilitate events for you to attend as representatives of our member organisations and stakeholders. If you attend one of our meetings/events, you will be asked to provide your contact details including your organisation’s name and information about any dietary requirements or access provisions you may need. We don’t share this data in any identifiable way with the venue, and we delete it after the event.
• Purpose 6: we use the email address you use for work purposes to send you our member briefings and direct mailings. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our communications.

How long do we keep data we collect?

We will retain professionally Personal Data for as long as you remain employed by the organisation and represent your employer, and thereafter for a maximum of seven years. Once this data is no longer required it is permanently deleted.

What are your rights?

By law, we must process certain data to comply with the CMA Order. ICO guidance on how this affects data subjects’ rights is available here.

Where we rely on your consent to process the Personal Data you give us to facilitate an event you have the right to withdraw your consent at any time. If you do that, we’ll update our records immediately to reflect your wishes.

Where we are processing your Personal Data for our legitimate interests, you have the right to object to our processing of your Personal Data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

Read more about your rights in the 'Your data protection rights' section in this notice.

Do we use any data processors?

Yes – we use a third-party system, based within the EEA, for member mailings and third-party venues to facilitate events.

We also use a third-party cloud services provider, based in the UK, to host data in a secure environment.

We may also share your Personal Data in the event of the non-payment of subscription fees. If the debt remains outstanding after the specified timeframe for payment, no payment plan is in place or an agreed payment plan is not being adhered to, we may initiate formal proceedings to recover the full amount of the unpaid fees. As a result, we will share Personal Data with the litigation and recovery specialists we instruct in order for them to undertake recovery action through the courts.

Visitors to our office

Purpose and legal basis for processing

We meet visitors at our office for various reasons, including suppliers and tradespeople, stakeholders and job applicants.

If your visit is planned, we’ll send your visit details, including your company name and job title, to the King’s Fund reception before your visit for security reasons and so they expect your arrival. All visitors are asked to sign in and out at reception. This process is not managed by us, so we are not the controller.

Closed-circuit television (CCTV) operates within and outside the building for security purposes. The CCTV system is not operated by us, so we are not the controller. The system is under the control of the Kings Fund as the building landlord.

We have Wi-Fi on site for the use of visitors. We’ll provide you with the address and password.

The purpose for processing data is to provide you with access to the internet whilst visiting our site. The legal basis we rely on to process your Personal Data is Article 6(1)(f) of the GDPR, which allows us to process Personal Data when it is necessary for the purposes of our legitimate interests.

What data do we process?

When visitors use our WiFi we record the device address and will automatically allocate you an IP address whilst on site. We also log traffic data in the form of sites visited, duration and date sent/received.

We don’t ask you to agree to terms, just to the fact that we have no responsibility or control over your use of the internet while you are on site, and we don’t ask you to provide any of your details to get this service.

Why we need this data and what we do with it

Internet log details are only processed to monitor your use of the internet whilst visiting our site.

Details relating to your visit will be processed depending on the nature of your visit (suppliers of goods and services, members/member representatives or job applicants).

How long do we keep data we collect?

Internet log details are retained for 30 days.

Details relating to your visit will be retained depending on the nature of your visit (e.g. suppliers of goods and services, members/member representatives or job applicants).

What are your rights?

Where we are processing your Personal Data for our legitimate interests as stated above, you have the right to object to our processing of your Personal Data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

Read more about your rights in the “Your data protection rights” section in this notice.

Do we use any data processors?

Yes, we use a third-party cloud services provider, based in the UK, to host data in a secure environment.

We are also not the Data Controller for CCTV systems or sign in sheets as detailed within this section.

Employees and Applicants

This includes job applicants, current and former employees (including Board members).

Purpose and legal basis for processing

This section describes how we collect and use Personal Data about you before, during and after your working relationship with us.

The legal basis we rely on for processing Personal Data, as listed in the ‘What data do we process?’ section below, is Article 6(1)(b) GDPR which relates to processing necessary to allow us to perform our contract with you or to take steps at your request, before entering a contract [*]. We also process Personal Data under Article 6(1)(c) of the GDPR to enable us to comply with legal obligations [**]. In some cases, we may use Personal Data to pursue our legitimate interests (Article 6(1)(f) of the GDPR) [***], provided your interests and fundamental rights do not override those interests. The purposes for which we will process your Personal Data are listed below.

We have indicated by asterisks the purpose or purposes for which we are processing or will process Personal Data, as well as indicating which categories of data are involved.

• To assess your suitability for a role you have applied for*
• Contacting you and communicating with you*
• Making a decision about your recruitment or appointment*
• Determining the terms on which you work for us*
• Checking you are legally entitled to work in the UK*
• Paying you and, if you are an employee, deducting tax and National Insurance contributions*
• Providing benefits to you including Pension, Life Assurance and Income Protection*
• Liaising with your pension provider**
• Administering the contract, we have or are entering into with you*
• Business management and planning, including accounting and auditing**
• Organising training and events*
• Celebrating birthdays, work anniversaries and similar events. (If you do not wish these events to be marked, please tell your line manager or the Director of People and Process). This is primarily to be the best employer we can be and to maintain morale***
• Conducting performance reviews, managing performance and determining performance requirements*
• Making decisions about salary reviews and compensation*
• Assessing qualifications for a particular job or task, including decisions about promotions*
• Gathering evidence for possible grievance or disciplinary hearings*
• Making decisions about your continued employment or engagement*
• Making arrangements for the termination of our working relationship*
• Education, training and development requirements*
• Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work**
• Ascertaining your fitness to work*
• Managing sickness absence*
• Complying with health and safety obligations**
• Providing occupational health and employee assistance programs**
• Contacting your emergency contact or next of kin in the event of an emergency*
• To prevent fraud*
• To monitor your use of our information and communication systems to ensure compliance with our policies and procedures*
• To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution*
• To help us to better manage the company, for example by reviewing and managing employee absence or retention and attrition rates***
• Equal opportunities monitoring**

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your Personal Data.

Special Categories of Personal Data and criminal convictions

'Special categories' or sensitive Personal Data require higher levels of protection. We need to have further justification for collecting, storing and using this type of Personal Data. The legal basis we rely on under the GDPR to process any Personal Data you provide as part of your application, or during your employment, which is special category data, such as health, religious or ethnic information is:

• Article 9(2)(b) – which also relates to our obligations in employment and the safeguarding of your fundamental rights i.e. where we need to carry out our legal or contractual obligations as your employer;
• Article 9(2)(c) – where it is needed to protect your vital interests (or someone else's vital interests) and you are not capable of giving your consent;
• Article 9(2)(e) – where you have already made the information public.
• Article 9(2)(f) – where it is needed in relation to legal claims;
• Article 9(2)(g) – where it is needed in the substantial public interest, such as for equal opportunities monitoring;

We will use your sensitive Personal Data in the following ways:

• We will use information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws;
• We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.

Some roles also require a higher level of security clearance. We hold information about criminal convictions per paragraph 2.1 of your contract of employment.

We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us.

Under the Data Protection Act 2018 the relevant provisions for processing your Personal Data are Schedule 1 part 1(1) and (2)(a) and (b) which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.

In any other circumstances, we would require your explicit written consent to process sensitive Personal Data.

Do we need your consent?

We do not need your consent to use Personal Data in the circumstances stated above. In any other circumstances, we would need to approach you for your written consent to allow us to process Personal Data. If we do so, we will provide you with full details of the data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

Your obligations to provide accurate Personal Data

You are required to ensure that we hold accurate and current details for you and that you inform us promptly of any changes, for example a change of address. You can check and amend this information through our HR administration system, or else through written communication with your line manager or the Director of People and Process.

If you fail to provide certain information when requested, or fail to keep it up to date, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Who has access to your Personal Data?

Access to and use of your Personal Data within the organisation is limited to those specific individuals’ who need to have access to it to fulfil their role within the organisation and ensure that we can act in the manner detailed in this document.

For most data, this will be:

• Your Line Manager;
• Your Department Director;
• The Director of People and Process;
• The Finance Director;
• The Chief Executive;
• Other administrative staff as appointed from time to time.

Data sharing, processing and access involving third parties

For some processing activities for the purposes stated above, we may need to:

• contract third parties to act as a data processor on our behalf where we remain the data controller; or
• share your Personal Data with third parties where they are also data controllers, such as professional advisors and auditors.

Where third parties act as data processors on our behalf, we require those third parties to adhere to our standards and processes for information governance, in accordance with this notice. Examples include:

• contracted administrative staff working on our behalf with access to our email and administrative folders;
• payroll services, our HR administration system and our pension administrator.
• cloud storage, a third-party data processor is used for record storage. Records are held in encrypted files on secure online servers at data centres based in the EEA.

The cloud storage, our HR administration system, accounting software and other systems holding Personal Data are administered by individuals with privileged access to financial and HR information as listed above, separately to other systems in the company, to ensure confidentiality.

Where Personal Data is shared with third parties who act as data controllers in their own right, they will also make their terms of service available and maintain their own privacy notice. These organisations have separate duties to you and your relationship with them may continue beyond your term of service with us. It is likely that you will directly provide most of the information that they need after the initial introduction.

Examples would include

• your pension plan provider;
• pension and benefits advisory services;
• occupational health and employee assistance services.

We are responsible for ensuring that these third parties are fit and proper organisations to undertake the services offered.

Why might we share Personal Data with third parties?

We may share your Personal Data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

How secure is my data with third-party service providers?

In all circumstances we take reasonable measures to ensure that third-party service providers take appropriate security measures to protect Personal Data in line with our policies. We do not allow third-party service providers to use Personal Data for their own purposes. We only permit them to process Personal Data for specified purposes and in accordance with our instructions.

Data protection policies

Our policies on data protection, information governance, security, incident management and other related issues can be found on our cloud storage share, which is accessible to all staff, or can be requested from your line manager, the Director of People and Process or our Data Protection Officer.

Automated decision-making

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

Change of purpose

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

What data do we process?

We collect, store, and use the following categories of Personal Data about you:

• Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
• Date of birth;
• Gender;
• Marital status and dependants;
• Next of kin and emergency contact details;
• National Insurance number;
• Bank account details, payroll records and tax status details;
• Salary, annual leave, pension and benefits information;
• Your annual Tax Code;
• Start date and length of service;
• Location of employment or workplace;
• Copy of driving licence, Passport, Household bills;
• Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process);
• Employment records (including job titles, work history, working hours, training records and professional memberships);
• Compensation history;
• Performance information;
• Disciplinary and grievance information;
• Details about your use of our information and communications systems;
• Photographs.

We also collect, store and use the following 'special category data' or more sensitive Personal Data:

• Information about your health, including any medical condition, health and sickness records;
• Information about criminal convictions and offences.

We typically collect Personal Data about employees, workers and contractors through the application and recruitment process, either directly from candidates or through a recruitment agency or background check provider. We may sometimes collect additional data from third parties including former employers or credit reference agencies.

We will collect additional Personal Data in the course of job-related activities throughout the period of you working for us.

Why we need this data and what we do it?

We will use all the data you provide during the recruitment process to progress your application with a view to offering you an employment contract with us, or to fulfil legal requirements if necessary.

We will not share any of the data you provide with any third parties for marketing purposes.

We will use the contact details you give us to contact you to progress your application and use the other data you provide to assess your suitability for the role.

We do not collect more data than we need to fulfil our stated purposes and will not keep it longer than necessary.

The data we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it may affect your application if you don’t.

We will only use your Personal Data when we have a lawful basis to do so. Most commonly, we will use your Personal Data in the following circumstances:

• In order to perform or enter into a contract with you;
• Where we need to comply with a legal obligation;
• Where it is necessary for our legitimate interests, provided that having considered the specific circumstances and risks of processing, we have concluded that your interests and rights would not override our interests.

We may also use your Personal Data in the following situations, which are likely to be rare:

• Where we need to protect your interests;
• Where it is needed in the public interest, or for official purposes.

The following information details the use of your data during each of the stages in the recruitment and employment process:

Shortlisting

Our hiring managers shortlist applications for interview and are required to do so fairly and in accordance with the Equality Act.

Assessments

We may ask you to participate in assessments; complete tests; attend an interview; or a combination of these. Information will be generated by you and by us. For example, you might complete a written test, or we might take interview notes. This information is held by us.

If you are unsuccessful after assessment for the role, we will destroy all Personal Data 6 months after appointment of the successful candidate.

Conditional offer

If we make a conditional offer of employment, we’ll ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We must confirm the identity of our staff and their right to work in the United Kingdom, and seek assurance as to their trustworthiness, integrity and reliability.

You must therefore provide:

• proof of your identity – you will be asked to attend our office with original documents; we’ll take copies;
• proof of your qualifications – you will be asked to attend our office with original documents; we’ll take copies;
• a questionnaire about your health to establish your fitness to work;

Some roles also require a higher level of security clearance – this will be clear in the offer letter or job description (or both). If so, we will pass your title, name, address, email address, date of birth, telephone number, copy of your passport/driving license, proof of residence e.g. a copy of a utility bill or similar, start date and job title to Experian, for an identity, financial, and Basic Criminal Record check. Experian will be a data controller in their own right for this data and you can read their privacy notice here.

Experian will provide a report to us detailing whether your application is successful or not. If it is not, we will not be told the reasons, but we may need to review your suitability for the role or how you perform your duties.

We will also contact your referees, using the details you provide in your application, directly or via the recruitment agency to obtain references.

If we make a final offer, we’ll also ask you for the following:

• bank details – to process salary payments;
• emergency contact details – so we know who to contact in case you have an emergency at work.

After your start date

Our employment contract requires all staff to declare if they have any potential conflicts of interest. If you complete a declaration, the information will be held on your personnel file. You will also need to declare any secondary employment.

How we make decisions about recruitment

Final recruitment decisions are made by hiring managers and members of our recruitment team. We take account of all the information gathered during the application process. Any testing is marked manually.

You can ask about decisions on your application by speaking to your contact at the recruitment agency or a member of our recruitment team.

How long do we keep data we collect?

We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your Personal Data are available in our Records Management policy which can be found on our cloud storage share and is accessible to all staff.

Recruitment data for unsuccessful applicants will be retained for 6 months after appointment of the successful applicant and personnel files for staff will be retained for 6 years after your employment and then a summary kept until your 75th Birthday.

To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your Personal Data so that it can no longer be associated with you, in which case we may use such data without further notice to you. Once you are no longer an employee, worker or contractor we will retain and securely destroy your Personal Data in accordance with our Records Management policy.

What are your rights?

Most of your Personal Data is readily available to you in our HR administration system at all times. You are also able to correct and update most details at any point through this system, and indeed are required to ensure that your data is kept up to date.

Read more about your rights in the 'Your data protection rights' section in this notice.

Do we use any data processors?

Yes, if you accept a final offer from us, some of your personnel records will be held on our HR administration system, based within the EEA, which is provided by a third party.

If you are employed by us, relevant details about you will also be provided to our booking keeping and payroll services provider, based in the UK. This will include your name, bank details, address, date of birth, National Insurance Number and salary.

Likewise, your details will be provided to a third-party administrator of our Pension Scheme who is responsible for, along with our HR team, maintaining up-to-date information for our pension scheme provider. You will be auto-enrolled into the pension scheme after 3 months service. The details provided to the pension administrator and pension provider will be your name, address, date of birth, National Insurance number, salary and contribution details. Your bank details will not be passed on at this time. These details are held on the pension scheme provider’s system and they are a Data Controller in their own right for this information.

Our building landlord, the Kings Fund, also requires you to have an identity badge, including photograph, for security purposes. The system is not operated by us, and we are not the controller.

For vacancies, we advertise through a select number of recruitment agencies. These recruitment agencies will collect the application information and assess your suitability for the role. Data collected by recruitment agencies will be kept in line with their requirements and we advise you to read their privacy notices.

Suppliers of goods and services

This includes professional advisors and auditors.

Purpose and legal basis for processing

When companies provide goods or services or are being considered as a potential supplier, we will only use the Personal Data they supply, which may include names and contact details for individuals, to maintain our working relationship and contractual arrangements. This may include monitoring of the service and levels of service provided to us.

Our lawful bases for processing supplier contact details is:

• Article 6(1)(f) – the 'processing is necessary for the purposes of legitimate interests pursued by the controller or third party';

What data do we process?

We will process the following Personal Data about individuals representing suppliers of goods and services:

• Name;
• Email address;
• Telephone number;
• Role or job title;
• Employing organisation name;
• Employing organisation postal address.

Why we need this data and what we do with it

We will only use the Personal Data supplied to maintain contact with our suppliers and when considering new potential suppliers.

How long do we keep data we collect?

We will retain professionally Personal Data for as long as you remain employed by the supplier and represent your employer. Once this Personal Data is no longer required it is permanently deleted.

What are your rights?

As we are processing Personal Data for our legitimate interests as stated above, you have the right to object to our processing of your Personal Data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

Read more about your rights in the 'Your data protection rights' section in this notice.

Do we use any data processors?

Yes – we use a third-party supplier of an IT system, based within the EEA, to record details of suppliers and their representatives.

People who contact us

People who contact us by email, post, phone or social media including complainants and enquirers.

Purpose and legal basis for processing

When you contact us to make an enquiry or complaint, we collect information, including Personal Data, so that we can respond to it.

The legal basis we rely on to process your Personal Data is Article 6(1)(a) of the General Data Protection Regulation (GDPR) and therefore this data is processed with consent i.e. where you have chosen to provide information to us.

If the information you provide to us in relation to your enquiry contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is Article 9(1)(a) of the GDPR which means that the data is processed with your explicit consent.

We do not collect Calling Line Identification (CLI) information or audio-record calls.

What data do we process?

The information we process will depend on the reasons for contacting us. However, it will only include the data that you have chosen to provide e.g. if the reason for contacting us requires a response we will need enough information from you to answer your enquiry and will need to collect basic details such as name and number/contact email address/postal address and, where relevant, the name of the organisation you represent in order to get back to you.

If the reason for contacting us is to make a complaint we need sufficient information from you to investigate your complaint properly. Our complaint forms are designed to prompt you to give us everything we need to understand what’s happened.

When we receive an enquiry or complaint from you, we’ll keep this on file. This normally includes your contact details and any other information you have given us, including information about the other parties involved in a complaint.

Why we need this data and what we do with it

We’ll set up a file to record your enquiry or complaint and so we can get it to the correct area of the business to be dealt with. We’ll also keep a record of our response. We use the data supplied to us to deal with the enquiry and/or investigate the complaint and any subsequent issues that may arise, and to check on the level of service we provide.

We compile and may publish statistics showing information like the number of complaints we receive, but not in a form that identifies anyone.

No third parties have access to your Personal Data unless the law allows them to do so. However, if you have made a complaint about an individual, we usually have to disclose your identity to them. This is so we can clearly explain to them what you think has gone wrong and if necessary, advise them how to put it right.

If you don’t want data that identifies you to be shared with the individual you want to complain about, we’ll try to respect that. However, it is not always possible to handle a complaint on an anonymous basis, so we’ll contact you to discuss this.

If you are acting on behalf of someone making a complaint, we’ll ask for information to satisfy us of your identity and if relevant, ask for information to show you have authority to act on someone else’s behalf.

We’ll only use Personal Data to respond to you and make a record of our communications with you, both verbal and written.

Depending on your chosen method of contact the following will also apply:

• Email – We monitor any emails sent to us, including file attachments, for viruses or malicious software. You must ensure that any email you send is within the bounds of the law. We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government guidance on email security. Most webmail such as Gmail and Hotmail use TLS by default.
• Phone – We may use the phone number you have given us to call you back if you have asked us to do so, if your call drops, or if there is a problem with the line. We don’t audio record any calls unless you choose to leave a voicemail message, but we might make notes.
• Social Media – If you send us a private or direct message via social media, it will be stored for three months. It will not be shared with any other organisations other than us. We see all this data and decide how we manage it. For example, if you send a message via social media that needs a response from us, we will process it in as an enquiry or a complaint.

How long do we keep data we collect?

The retention period will largely depend on the nature of your communications. Social media private messages are retained for 3 months and complaint files for 2 years following closure of the complaint.

What are your rights?

You have the right to withdraw consent at any time and the right to object to our processing of your Personal Data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

Read more about your rights in the 'Your data protection rights' section in this notice.

Do we use any data processors?

Yes – we use Microsoft Office 365 to store email, hosted within the UK, and a third-party cloud service provider, based in the EEA, to host data in a secure environment. We also use a third-party service to provide our telecoms and voicemail service.

Data protection and security

Data Controllers contact details

The Private Healthcare Information Network (PHIN) is the data controller for the Personal Data processed as described in this notice, unless otherwise stated.

For general enquiries please email info@phin.org.uk or write to us at:

The Private Healthcare Information Network
11 Cavendish Square
London
W1G 0AN

Phone: 020 7307 2862

Our Data Protection Officer

Our Data Protection Officer is Ben Seretny. You can contact our DPO by emailing infogov@phin.org.uk.

How we maintain Data security

Your data is held securely at all times. We comply with the Data Protection Act 2018, the UK General Data Protection Regulations (UKGDPR) and NHS requirements for patient confidentiality. We are certified to the ISO27001 international standard for information security management systems, and have been audited by NHS England, the national NHS information authority in England.

We have put in place appropriate security measures to prevent Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process Personal Data on our instructions and they are subject to a duty of confidentiality.

Patient data we hold is pseudonymised meaning that it is processed in a manner that it can no longer be attributed to a specific individual without the use of additional information. All individuals working for us are trained in Data Protection and are informed that intentionally re-identifying a data subject from pseudonymised data is a criminal offence.

We have established procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach wherever possible and always where we are legally required to do so.

Your data protection rights

Under certain circumstances, you have rights under data protection laws in relation to any Personal Data collected.

For more information on your rights, please see information on the Information Commissioner’s Office (ICO) website relating to ‘Your rights as an individual'.

This includes the right to:

• Access – you can request access to your Personal Data (commonly known as a "data subject access request"). This enables you to receive a copy of the Personal Data we hold about you and to check that we are processing it lawfully.
• Rectify – you can request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.

You can also ask us to:

• Erase your data – you can request the erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. This only applies in certain circumstances i.e. where we no longer need your data, you would like to withdraw consent previously given (if applicable), your interests outweigh our legitimate interests, we are under a legal obligation to erase your data or we have collected or used your data unlawfully.
• Restrict processing – you can request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it and during any queries or investigations relating to your right to rectification and/or erasure.
• Object to processing – You have the right to ask us to stop processing Personal Data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on these grounds.
• Data portability – you can ask that we transfer the Personal Data you gave us to another party or give it to you.

If you want to review, verify, correct or request erasure of your Personal Data, object to the processing of your Personal Data, or request that we transfer a copy of your Personal Data to another party, please contact our Data Protection Officer.

You will not usually have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the data (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your Personal Data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will no longer process your data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

When we share your data

We will not share your data with any third parties for the purposes of direct marketing.

In the usual course of our activities, we may use third party organisations to support the essential delivery of our services. This may be professional advisors and auditors or data processors working on our behalf e.g. to support IT systems in which your data is stored, or for the purposes of transportation and storage of data and confidential destruction. Where a third-party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under data protection legislation. This means that they cannot do anything with your Personal Data unless we have instructed them to do it. They will not share your Personal Data with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

In some circumstances we are legally obliged to share data. For example, under the CMA Order, a court order or where other legislation requires us to, such as disclosures to HMRC or regulatory bodies. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the data and document our decision making.

We may share Personal Data with national healthcare bodies such as NHS England. Prior to undertaking any data transfer to a third party, we will ensure that a valid lawful basis is present and an adequate assessment of the risks to all relevant data subjects has been undertaken, with the appropriate controls in place to monitor and reduce any risks identified as part of the data sharing activity.

International transfers

All patient data we hold will remain in the UK. However, we use services to process data relating to other categories of individuals that are based outside the UK. All data is currently processed within the European Economic Area (EEA) and no data is transferred outside of the EEA.

Your right to complain

We would encourage you to contact us, in the first instance, if you are unhappy with any aspect of the way in which we process your Personal Data. You can get in touch with our Data Protection Officer using the details provided here or make an official complaint by writing to complaints@phin.org.uk.

If you are not content with the outcome of your complaint, you may apply directly to the Information Commissioners Office (ICO), as the UK supervisory authority, for a decision. The Information Commissioner can be contacted at:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF

Telephone: 0303 123 1113
Website

Changes to this privacy notice

This notice was last updated on Thursday 6 January 2022.

Links to other websites

Our website may contain links to third party websites. Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes Personal Data. We encourage you to read the privacy notices on the other websites you visit.

How to contact us

Questions, comments and requests regarding this privacy notice are welcomed. If you want to request information about our privacy notice you can email our Data Protection Officer or write to us at the address above.

For general enquires please email info@phin.org.uk

Acknowledgement

*the ICO’s privacy notice has been used and adapted under open governance license to draft this notice in an attempt to follow their lead as the regulator for Data Protection in the UK.

Footnotes

* “Technical Data” comprises browser type/version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our websites).

** We are authorised to collect this data by the Private Healthcare Market Investigation Order 2014 (as amended).

*** Please note that patient data is processed for statistical purposes^. Patient data PHIN holds is therefore exempt from the right of access or rectification. Furthermore, all patient information we hold is de-identified/pseudonymised, we are legally required to process this data, and we are not in a position to identify individuals or their particular records. Individuals wishing to apply their right to access or rectification should contact the hospital that provided their care.

^ Statistical purpose means any operation of collection and the processing of Personal Data necessary for statistical surveys or for the production of statistical results. Those statistical results may further be used for different purposes, including a scientific research purpose. The result of processing for statistical purposes is not Personal Data, but aggregate data and this result or the Personal Data are not used in support of measures or decisions regarding any particular natural person.

The original publication date for this page was on 6 January 2022. This page was last updated on 5 September 2023 to fix email links.