Fortius Clinic Privacy Notice
At Fortius Clinic we are committed to respecting and protecting your privacy at all times and take seriously our responsibilities under data protection legislation. This privacy notice outlines how we collect and use your personal information, how we keep it secure and your legal rights.
Who are we?
Fortius Clinic is a private limited company, providing musculoskeletal and orthopaedic healthcare services, which includes outpatient consulting and treatments, surgical services and diagnostic imaging services. We also provide practice management services (appointments, medical records management, clinical outcomes collection, secretarial services and billing) for Fortius clinicians seeing patients at other locations. Clinicians make decisions about information they require about you, and may maintain their own set of medical records in relation to the treatment that they provide. They are a Data Controller in respect of the personal information that they hold within those records, meaning that they must comply with the data protection legislation and relevant guidance when handling your personal information. To the extent relevant to their practice, you can expect clinicians (including their medical secretaries) to handle your information in line with this Privacy Notice. This includes using your personal information as set out in more detail below.
Registered office: Our registered office is 17 Fitzhardinge Street, London, W1H 6EQ
What types of data do we collect and use?
In order for Fortius and your clinician to provide your care and treatment we will collect certain types of personal and sensitive data about you.
The personal data we collect includes
- Personal details including your full name, title, date of birth and gender
- Your address and contact details, including email address and telephone numbers
- Emergency contact details and/or next of kin
- Your National Health Number
- Details about other clinicians involved in your care or referral, e.g. your GP or physiotherapist
- Financial information including your credit card or other bank details if you are responsible for the payment of all or part of the bills relating to your care
- Your Medical insurance details or information regarding other organisations responsible for funding your care
We also collect and hold data that is known as a special category of personal data which includes:
- Details of your current and previous physical and mental health. This may include treatment you have received elsewhere and by other clinicians
- Medical records including past treatments, results of investigations, tests and scans
- Imaging such as X-rays, ultrasound and MRI scans and their reports, photographs and videos
- Your religion, nationality, race and/or ethnicity
- Sexual orientation
- Genetic or biometric data relating to you
Where does this information come from?
The information, which is part of your medical record may be provided by either yourself, your GP, your referring clinician as well as by your consultant and any other health professionals involved in your care. Further information may also be provided by your insurer or others funding your treatment.
We also collect information directly from you when you visit our website and patient portals, including from our SCORES clinical outcome system.
What legal basis does Fortius Clinic have for storing and using my personal data?
- Under the General Data Protection Regulations Article 6 (1) and Article 9 (2) we have the right to process your data in the following ways
- To support the provision of high quality treatment and clinical care appropriate to your needs
- To communicate with you regarding your clinical care with us and to resolve any queries, concerns or complaints you may have
- To communicate with other health professionals and referring clinicians regarding your care
- To undertake clinical audit and statistical analysis to monitor the standard of care provided and improve clinical performance
- In order to obtain payment for your treatment
- To comply with legal obligations
How will Fortius use my personal data?
- The personal data will be used for the following purposes
- To ensure you are receiving appropriate clinical care for your needs
- Arranging appointments, investigations, scans, procedures and surgeries
- To respond to your queries, complaints and concerns
- Quality assurance through the evaluation of your treatment and outcomes
- Processing of invoices and payment of fees in connection with your account with us and/or your consultant
- Disclosure of details of your treatment with us to your referring physician or clinician or to another clinician for further treatment when required. If you would prefer us not to share this information please notify us
We will never market our services or pass on your information to a third party without your consent except in the circumstances in a section below.
Do I have to provide my personal information?
You are not obliged to share any information with us but limiting the information you do disclose may mean we are unable to offer a full range of services and therefore it may affect the service we can offer.
We will seek explicit consent to collect and process your data where is it required under data protection law. You may withdraw your consent at any time by contacting the Fortius Data Protection Officer
Will my personal data that Fortius holds be shared with others?
Under certain circumstances your data will be shared with others but we will only share such information as is appropriate and in the following situations
- Sharing information with those involved in your health care. This would include:
- Consultants, anaesthetists, radiologists and other health professionals, such as physiotherapists
- External companies that provide Fortius with services as part of your care pathway, such as blood tests, radiological imaging, archiving and reporting
- Specialist companies that provide bespoke medical devices such as prostheses and these may be based outside of the European Union
- Another hospital provider that provides Fortius with services as part of your care pathway, such as pharmacy services
- Your GP and/or other referring clinician(s)
- Other members of staff such as administrators, receptionists and medical secretaries
- If we feel you are vulnerable or “at risk” we have an obligation to share information about you with the local Safeguarding Team, the specialist members of which come from the local authority, NHS organisations and the police
- Anyone you have asked us to communicate with or whose details you have provided as an emergency contact
- Sharing Information with those involved in the administration of your care such as
- Your private medical insurer or other organisation paying for your care
- Debt collection agencies If your bill is not paid in accordance with our credit terms. The information shared would only include contact details and copy invoices. We would not share your medical record
- Sharing information with 3rd parties not involved in your care
- We share personal information with external organisations as required to ensure business functions are able to operate and to ensure the security and integrity of these functions. In each case only information relevant to them is shared. The 3rd parties can include
- Software providers of clinical and non clinical systems
- Document scanning and storage facilities
- Legal and professional advisors, including auditors
- Additionally, pseudonymised, anonymised and aggregated data may be shared as part of our quality assurance process. Sharing information with regulatory bodies or due to a legal obligation
- We may disclose personal information where we have a statutory or legal obligation to do so, such as in the following situations
- With our regulators, such as the Care Quality Commission who inspect healthcare providers in England, the Medicines and Healthcare products Regulatory Authority and with professional regulatory bodies such as the General Medical Council
- When instructed by court order or by the police and other crime agencies for the detection and prevention of crime
- Limited information is shared with the Private Healthcare Information Network (PHIN) which publishes information on the quality and cost of privately funded healthcare. It is a mandatory requirement for us to provide information to PHIN and we will comply with all data processing laws when doing so
- Sharing of personal data for research and marketing
- We will never use your personal data for marketing purposes without your consent and we will never sell your personal data to a third party
- Fortius is committed to furthering research and education in orthopaedics and musculoskeletal conditions and treatments. We may therefore use your personal data for clinical research and education but we will seek your explicit consent to do in line with research ethics requirements and data protection laws
- Sharing data with your consent
- With your consent we may disclose your personal information to other parties including
- at your request, for example to a company handling a claim on your behalf
- to National Registries who monitor the outcome of treatment provided
For how long will you keep my data?
We will only keep your personal data for as long as is necessary to comply with the purposes outlined in this privacy notice and to comply with legal and regulatory requirements. The retention periods are in line with the Information Governance Alliance Records Management Code of Practice for Health and Social Care 2016.
Is my data secure?
Priority One IT is the official IT service provider for Fortius Clinic. Priority One IT has implemented a number of technical controls on behalf of Fortius Clinic to ensure that the confidentiality, the integrity and the availability of the data that is being processed are preserved at all times.
Backups are performed on a daily basis in order to keep it readily available in the event of a natural disaster or a technical issue. This measure is also critical for proper business continuity and to ensure an exemplary level of customer service.
Encryption controls have been implemented for data that is in transit. This ensures that the data being transmitted over email is kept secure and that it is only accessible by the intended recipient(s).
All machines are built to a standard following a strict process and pre-defined requirements. This ensures that the machine is secure with the appropriate user level and approved tools from the beginning of its lifecycle. In addition to that, all machines are password protected to restrict access to authorised personnel only.
What rights do I have as a data subject?
At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you, which will be provided free of charge and within one month of receipt of your request.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete and we will respond within one month of the receipt of your request.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply you have a right to restrict the processing of information we hold about you.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to judicial review: in the event that Fortius refuses your request under rights of access, we will provide you with a reason as to why.
If you exercise any of your rights in a situation where a third party is involved we will forward your request to them.
Should you have any queries or wish to exercise any rights set out in this notice you can contact the Fortius Clinic Data Protection Officer at the address below. If you make a data request you will be required to provide identification and Fortius will accept the following forms of ID: Passport, driving licence, utility bill from the last three months or another form of photo ID.
You can complain to the Information Commissioner’s Office (ICO) if you are unhappy with the way we have dealt with a request from you to exercise any of your rights or if you think we have not complied with our legal obligations. Whilst you do not have to do so, we would appreciate you making the Data Protection Officer aware of the issue and giving us an opportunity to respond and to address it before contacting the ICO. Making a complaint will not affect any other legal rights or remedies that you have. More information can be found on the ICO website: https://ico.org.uk https://ico.org.uk/ and the Information Commissioner's Office can be contacted by post, phone, fax or email as follows:
Information Commissioner's Office
Telephone: 0303 123 1113 (local rate) or 01625 545 745 9 (if you prefer to use a national rate number)
Fax: 01625 524 510
How do I complain?
In the event that you wish to make a complaint about how your personal data is being processed by Fortius Clinic please contact the Data Protection officer at Fortius Clinic. You also have the right to complain directly to the Information Commissioner’s Office.
The details for each of these contacts are:
Information Commissioner’s Office
Telephone: 0303 123 1113 (local rate)
01625 545 7459 (national rate)
Data Protection Officer
17 Fitzhardinge Street
Additional information relating to our Website
We will also collect and use some personal data when you visit our website or use our other digital services, such as our patient portal.
What information do you collect and how is this used?
In addition to the information already mentioned we collect the following information through the website:
- Visits to our website
- Information provided in our enquiry and feedback forms
- Survey information
- Enquiries or calls made via the website about our services
We use this in the following ways:
- To analyse the website to provide the optimal user experience for example ensuring that web pages are easy to read and information is well presented
- To notify you about changes to products and services
- To provide you with information about our products and services where you have consented to be contacted, for example where you have subscribed to receive information regarding our events
How secure is my data?
Any personal information held by Fortius is held on secure servers and encrypted. However, the transmission of information via the internet is not completely secure. During transmission of data, whether by forms or email, we cannot guarantee the security of your data and doing so is at your own risk.
Cookies are small data files that can identify you when you visit a website. Cookies remember your settings during and between visits to our site and also improve the speed and security of the website.
Which cookies do you use?
Code set cookies
Expires: 2 hours
A security token held to avoid cross-domain form submission spamming
Expires: 2 hours
This is set by the server for to determine the user’s current session identity.
Further information regarding the cookies used by Google Analytics can be found at https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Expires: 2 years
Used to distinguish visitors to site
Expires: 1 day
Used to distinguish visitors to site
Expires: 1 minute
Used to help identify the visitors by either age, gender, or interests by DoubleClick - Google Tag Manager.
Expires 10 years unless deleted from browser history / cookies
Shares a unique telephone number to the website visitor and allows analysis of website usage.
Do you share my data?
When you complete an online enquiry form, this information is shared only with Fortius Clinic. We do not share your information with any third parties, unless you have given us permission to do so.
When you send an email or complete a referral form, Fortius will not share your email address with anyone outside the clinic, with the exception of those directly involved with providing the services about which you are enquiring. If you sign up for one of our emailing lists, and opt in to receive communication from us, we will only send you information in the format you have requested.
Are all downloads checked for viruses?
Although every reasonable effort is made to ensure that files are free of defects and viruses, no warranty or guarantee is given by Fortius Clinic regarding files downloaded or accessed.
If you have any comments, queries or feedback about this privacy notice please email firstname.lastname@example.org
Additional information for Job Applicants
This section of our Privacy Notice sets out important details about information that Fortius Clinic may collect and hold about you as a Job Applicant, how that information may be used and your legal rights. Applicants should take time to read this Privacy Notice carefully and contact us if you have any questions about its content.
What information does Fortius Clinic hold about me and where does it come from?
We have information about you which you have supplied to us as part of the recruitment process, either through uploading of information to our website, by sending information to us by post or by email, or by providing this information to us over the telephone. We will also hold information about you and your suitability for the role which you have provided to us during an interview. On occasion, we may have been provided this information via a recruitment agency.
The information we hold includes:
- your name and contact details (postal and email addresses and phone numbers), details of your current salary, confirmation of your right to work in the UK without sponsorship
- details of your experience and supporting information (such as professional qualifications),
- explanation of any gaps in your CV of more than one month
- details of any criminal convictions
- more sensitive information that you have provided, such as your current or previous physical or mental health, nationality, race and/or ethnicity and genetic or biometric data. We refer to this as ‘more sensitive information’ in this Privacy Notice
- we may have information about you from professional bodies such as the Nursing & Midwifery Council (NMC), General Medical Council, (GMC), the Health and Care Professions Council (HCPC) and on occasion, from government agencies such as HMRC or the Home Office, as well as from any previous employers or educational establishments
- confirmation of whether you have any criminal convictions from the Disclosure & Barring Service
- references from individuals whose details you provide to us
- an occupational health assessment confirming your fitness to work and whether there are any reasonable adjustments required to be made to enable you to perform the role).
In order for us to process your application, we ask that you provide as much information to us as you can. You are of course free not to disclose information to us and you should only provide it where you feel comfortable in so doing. Please bear in mind, however, that if you are only willing to share limited information, we may not be able to take forward your application.
How will Fortius Clinic use the information it holds about me?
- We use information about you in connection with your application for a role with Fortius Clinic; including:
- Assessing your skills, qualifications and suitability for the role
- Carrying out background and reference checks
- Communicating with you about the recruitment process
- Keeping records related to our recruitment processes
- Complying with legal or regulatory requirements
It is necessary for us to use information about you as described above in order to pursue our legitimate interest of considering whether or not you are suitable to be appointed to the role for which you have applied.
We may use more sensitive information to indicate if any reasonable adjustments need to be made so you can attend an interview, to confirm your fitness to work and to judge whether any reasonable adjustments may need to be made to enable you to carry out the role.
Where the role for which you are applying entitles or requires us to do so, we carry out a disclosure and barring service (DBS) check. The level of check will depend on the particular role and we have in place appropriate safeguards, which we are required by law to maintain when processing such information.
We may also use information about you to:
• ensure meaningful equal opportunities monitoring and reporting
• contact you in relation to your application
• maintain our business records, improve our recruitment processes and monitor outcomes
• where there is a legal or regulatory obligation on us to do so. In particular cases, it may be necessary for us to use more sensitive information about you in order for us to establish, exercise or defend our legal rights
• where you have provided your consent to us doing so
We do not carry out automated decision making or profiling. Please see more detailed information in the sections below.
Will Fortius share information about me with others?
In some instances we will need to share information about you:
- with our staff who are involved in the recruitment process, including administrative staff
- with our occupational health team if you are successful
- with previous employers, educational establishments and/or professional bodies in order to verify information about your previous experience, qualifications and professional registrations
- with previous employers and individuals whose details you provide to us in order to request a reference on your suitability for the role you have applied for
- with the Disclosure & Barring Service, when the job role requires, to confirm whether you have any criminal convictions, and relevant details
- with external organisations such as our lawyers, auditors, financial, tax and public relations advisors
- with third party suppliers that provide us with document scanning and storage facilities and/or information technology systems, including a recruitment administration management system as well as other non-clinical software applications (and related services) and website hosting
- with our regulators, including the Care Quality Commission, NHS England and the Department of Health
- where we are required to do so, by law or in the public interest, for instance a court order or investigation by a regulatory body
- with the police and other third parties where reasonably necessary for the prevention or detection of crime. On occasion, this may include the Home Office and HMRC
- Additionally, your data may be used in Audits, surveys and initiatives concerning the quality of our recruitment processes and in assessing trends in vacancies and applicants. Any data provided outside Fortius Clinic will not contain information by which an applicant could be identified, unless it is required by law. Any publishing of this data will be in anonymised statistical form.
Where and for how long does Fortius Clinic store information about me?
Information about you is held securely in the United Kingdom in electronic format, and on our secure servers or those of our third party information technology provider. Where required for the reasons given above, we may transfer information about you to a referee, previous employer, educational establishment or professional body based overseas. We will take all reasonable steps necessary to ensure that your data is treated securely and in accordance with this Privacy Notice.
We retain your application records in our recruitment system for one year, after which information for successful candidates is transferred to our employment records and other records are securely destroyed. These timeframes are to ensure that information is properly managed and is available whenever and wherever there is a justified need for that information, including to support our legitimate interests, and to meet legal requirements. They may be extended in the event of a complaint, legal proceedings or where we are required to do so by a regulatory body.
If you ask us to retain your information in case of a future suitable vacancy, we will do so for a further period of one year.
What rights do I have?
The law provides you and other candidates with certain rights in relation to the information about you that we hold, please refer to the rights section in the Privacy notice for patients above. You may exercise these at any time by contacting our Data Protection Officer (contact details below) or as otherwise noted below.
There will not usually be a charge for handling a request to exercise your rights and if we cannot comply with your request, we will usually tell you why. If you make a large number of requests or it is clear it is not reasonable for us to comply with a request, then we do not need to respond and we may charge for doing so.
How do I exercise my rights?
For further questions or to exercise any rights set out in this Privacy Notice, please contact Fortius Clinic’s Data Protection Officer:
Data Protection Officer
17 Fitzhardinge Street