Privacy Policy

1. Scope and purpose

This Privacy Policy explains how we collect, use, store and share personal data, including special category health data, in accordance with UK GDPR, the Data Protection Act 2018 and PECR where applicable.

“Personal data” means information about an identifiable living person. This policy applies to our website, enquiries, bookings, pre-scan consultations, imaging coordination, referrals, results support, complaints and other communications with PrivateScans.

2. Who we are: data controller

PrivateScans is the data controller for personal data processed for our services.

Data Protection Lead / DPO role: PrivateScans
Address: NEC House, 200 Derby Road, Stapleford, Nottingham, NG9 7AY
Telephone: 0115 837 2252
Email: care@privatescans.uk
Website: www.privatescans.uk

3. What data we collect

We may collect:

• identity data, including name, date of birth and gender where relevant;
• contact data, including address, phone number and email address;
• appointment, booking and scan location details;
• health and medical information, including history, symptoms, medications, allergies, implants, procedures and consultation notes;
• imaging-related information, including questionnaires, referral details, reports, images or image access details and provider communications;
• payment and transaction data, including the £25 pre-scan consultation fee, scan payments, invoices and refunds, while card data is handled by a payment provider;
• communication records, including emails, SMS, telephone notes and secure messages;
• feedback, incident and complaint correspondence;
• website and technical data, such as IP address, device/browser information and website usage information where cookies or analytics are used.

We only collect data that is relevant and necessary for safe care and service delivery.

4. Legal bases for processing

We process personal data under contract, legal obligation and legitimate interests, including service improvement, responding to enquiries, managing appointments and safety.

We process health data, which is special category data, where necessary for the provision of health or social care and, where required, with explicit consent. Consent may also be used for certain communications, marketing and any marketing use of images or video.

5. How we use your data

We use your data to:

• book and manage appointments;
• conduct pre-scan clinical assessments and provide care-related support;
• communicate with you about appointments, referrals, results and aftercare information;
• issue referrals and share required information with imaging providers;
• receive and store clinical reports and advise you of results;
• manage payments, invoices and account records;
• maintain safe records for clinical governance;
• investigate incidents, complaints and safeguarding concerns;
• improve services through audits, feedback and governance processes;
• maintain website functionality, security and performance.

6. Data sharing: who we may share with

We may share data with:

• imaging providers, scan centres and reporting clinicians for scans and reporting;
• other healthcare professionals involved in your care, such as your GP or consultant, where required for safe onward care or with your consent;
• insurers where relevant and with appropriate authority;
• regulatory bodies where required by law or applicable professional obligations;
• professional advisers, such as legal or accounting advisers, under confidentiality;
• IT, booking, payment, email, hosting and system providers who host or support systems as processors under contract;
• emergency services or safeguarding bodies where required to protect someone’s vital interests or comply with a legal duty.

We do not sell or broker your data. We will not share your data for marketing with third parties without your explicit consent.

7. Data storage, security and access control

Data is stored securely with appropriate technical and organisational measures. Access to records is limited to staff involved in providing care or administering services.

Administration staff may access contact details and booking/account information to manage appointments and accounts. Where third parties process data for storage or systems, they are vetted and bound by confidentiality and data processing agreements.

Data is stored within the United Kingdom and is not stored outside the EEA unless we have ensured appropriate safeguards. We will update this policy if that changes.

8. Retention: how long we keep data

We retain personal data as follows:

• adult records: retained for 8 years after the end of the care relationship or contract, or longer where required by law or regulatory need;
• records for minors, where relevant to historical legacy records: retained until age 25. We do not routinely treat under-18s under our current eligibility policy;
• enquiry and administrative records: retained only as long as necessary for the purpose collected, unless linked to clinical care, a complaint, legal claim, payment record or regulatory requirement.

After retention periods, data is securely deleted or destroyed unless a lawful basis requires longer retention, such as an ongoing dispute or legal claim.

9. Your rights

You have the right to access your data, rectify inaccurate or incomplete data, erase data where applicable, restrict processing where applicable, data portability where applicable, object to certain processing including direct marketing, and withdraw consent where processing relies on consent.

Where we cannot comply fully, we will explain why and your options.

10. Subject access requests and ID requirements

To protect confidentiality, we require identification for access requests. We may accept a driving licence, passport, birth certificate or utility bill not older than three months. We usually require one photographic ID plus one supporting document.

Requests should be made to care@privatescans.uk or by writing to PrivateScans at NEC House, 200 Derby Road, Stapleford, Nottingham, NG9 7AY.

We will normally respond to subject access requests within one calendar month of receipt. This period may be extended by up to two further months where requests are complex or numerous, in accordance with UK GDPR. If an extension is required, we will inform you within one month of receipt and explain why.

11. Marketing, emails and SMS

We may contact you about your enquiry, booking, referral, appointment, report, complaint or account because these communications are necessary to provide the service.

We will only send marketing messages where we have a lawful basis to do so. You can opt out of marketing at any time by contacting us. Opting out of marketing does not stop essential service communications.

12. Cookies and website analytics

Our website may use essential cookies to make the site work properly and may use analytics or performance tools to understand website usage and improve the site. Where required, non-essential cookies will only be used with appropriate consent.

You can usually control cookies through your browser settings, although blocking essential cookies may affect how the website works.

13. Data breaches and security incidents

We take appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, alteration or disclosure.

In the event of a personal data breach, we will assess the risk and, where required, notify the Information Commissioner’s Office (ICO) within statutory timescales.

Where a breach is likely to result in a high risk to your rights and freedoms, we will inform you without undue delay and provide information on recommended steps you can take.

14. Complaints about data protection

If you wish to make a complaint about how your personal data is being processed, you have the right to complain to us in the first instance.

If you do not receive a response within 30 days or remain dissatisfied, you can complain to the supervisory authority:

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

15. Changes to this policy

We may update this Privacy Policy if our services, systems, providers or legal requirements change. The effective date and version number above show when this policy was last updated.