About this Privacy Notice
This Privacy Notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us in accordance with UK data protection legislation.
We may need to update this Privacy Notice from time to time and where we are already processing your personal data, we will notify you of any significant changes.
Who we are
Rutherford Diagnostics Limited is a company registered in England and Wales (company number 10844984) and is a fully owned subsidiary of Rutherford Health plc (a company registered in England and Wales, company number 09420705). Rutherford Diagnostics Limited is a registered data controller with the Information Commissioners Office, registration number ZA431613.
Where the term ‘we’ or ‘us’ is used, this relates to Rutherford Diagnostics Limited.
Our nominated representative, for the purpose of the Data Protection Act, is our Data Protection Officer whose contact details can be found at the end of this notice.
At Rutherford Diagnostics, we believe the provision of optimal, cost-effective diagnostic services and investing in new and developing technologies is an important step forward in a future where people will live well for longer. By utilising and developing innovative technologies, such as state of the art diagnostics to reduce levels of acute illness and support good health, Rutherford Diagnostics will revolutionise healthcare.
We will fund, deliver and maintain state-of-the-art diagnostic equipment housed in modern and well-designed facilities, and will seek out and will be open to investing in commonly unattainable and novel diagnostic technologies that will benefit the nation’s health outcomes.
We will process your personal data in line with data protection legislation as follows:
- We will always process personal data lawfully and fairly and in a transparent manner. We will ensure this Privacy Notice is available on our website and, where relevant to your relationship with us, ensure information is included in contracts, application forms and agreements where our relationship with you requires us to process personal data.
- We will ensure that whenever we collect personal data it is adequate, relevant and not excessive in relation to the purpose for which it is being processed.
- We will ensure information processed is accurate and where necessary kept up to date
- We will ensure that your personal data is kept in a form that allows us to identify you for our business purposes but is not kept in an identifiable format for longer than is needed.
- We will ensure that the processing of your personal data is done so to ensure the security and confidentiality of the data. This means that we have policies, procedures and training in place to ensure robust security controls are applied to the processing of your data.
What is personal data?
The term ‘personal data’ relates to any information that can or has the potential to, identify you as an individual such as your name, address, e-mail address, phone number. It also includes less obvious information such as identification numbers, electronic location data and other online identifiers.
Certain types of personal data are referred to in data protection legislation as ‘special categories’ of data. This is because they are classed as more sensitive and require additional protection.
Such information includes information about an individual’s:
- Ethnic origin
- Trade union membership
- Biometrics (where used for identification purposes)
- Sex life
- Sexual orientation
What personal data do we collect?
In the normal course of day to day business activities, we may obtain personal data through:
- Enquiries entered onto our online forms, received by email, telephone or letter which may include and not limited to enquiries in relation to:
- Investment opportunities
- Contracting of services by us, and to us
- Registration for events
- Subscriptions to newsletters
- Job vacancies
- Healthcare services
- Collaboration opportunities
Types of personal data processed by us may include:
- Personal data in relation to employees and contractors for the purpose of fulfilling employment law requirements.
- Personal, special category data and professional information required for processing job applications.
- CCTV images of visitors attending our physical locations.
- Contact details of suppliers, contractors and partners (e.g., name, company name, job title, address, telephone numbers, work and personal email and postal address).
- Financial information required for processing payments to individuals and companies.
- Personal information in relation to investors.
What is our lawful basis for processing your personal data?
Under data protection legislation we must always have a lawful basis for using personal data and special category data (as described earlier). The law provides a set of lawful purposes for processing personal data and special category data.
Depending on the reason for us processing your personal data, there may be several lawful purposes that will apply, and which may be relevant at different times. This section describes the lawful basis for processing personal data and special category data at Rutherford Diagnostics Limited.
When you contact us and ask us for information with a view to receiving services from us, supplying services to us, entering into investments or collaboration opportunities, we process your personal data to meet those requests.
We, therefore, rely on this lawful basis for processing:
‘The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract’.
We are subject to a range of legal obligations in relation to the services we provide. These may range from our requirements under the UK Companies Act, employment law, tax purposes and regulatory requirements laid down in healthcare legislation.
We, therefore, rely on the following lawful purpose:
’Processing is necessary for compliance with a legal obligation to which the controller is subject.’
The term ‘legitimate interests’ relate to our normal business activities which we carry out, and which would reasonably be expected as part of the running of our business and which does not impact your rights, freedoms or interests.
When you contact us to enquire about services, opportunities for investment, collaboration, providing services to us, receiving services from us or working for us, we process your personal data in order for us to respond to you and provide you with the required information and services.
Data protection legislation requires that any processing must be ‘necessary’ and on all occasions, we must balance our interests as a company against those of the individual’s. If the individual would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override our legitimate interests. We will always ensure that our legitimate interests do not cause unjustified harm to you.
Our company’s aim is to deliver diagnostics services, therefore personal data is collected and processed to achieve this aim.
We, therefore, rely on the following lawful purpose:
‘The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.’
Special Category Data
In the planning and delivery of our services, it may be necessary for us to process special category data in relation to responding to enquiries you make about treatments and services, providing services to you, and in relation to processing employee data. Where we collect health information relating to you we will provide you with a specific privacy notice at the point of collection.
The lawful process by which we are able to process special category data is as follows:
‘Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.’
There may be situations where complaints or claims are made against us a company or against our independent medical practitioners and where the processing of special category data is necessary to respond to those complaints or claims.
The lawful purpose we would reply on for special category data in these circumstances is as follows:
‘Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.’
We will always ask for your consent to send you information on our services and treatment and business opportunities (consent to marketing). You can opt into receiving information when you complete our online forms or are provided with opportunities to join mailing lists at our events
There may be other circumstances where we require your consent. Wherever the processing of your personal data requires consent we will ensure we provide you with full information to allow you to make an informed decision:
‘The individual has given clear consent for you to process their personal data for a specific purpose.’
Who your information is shared with
Within the day to day running of our business, we may use third party organisations to support the essential delivery of services. These may be; IT service providers, financial advisors, storage & shredding companies, debt management companies. We may also be required to share personal information to prevent fraud and to assist the police in the prevention and detection of a crime.
Where third party organisations are used, who may have access to your personal data, we ensure that a contract is in place, security checks are undertaken and that we have a lawful basis for sharing the personal data.
Personal data may be shared between Company subsidiaries within the Rutherford Health Group in order for us to carry out our functions. Such processing may involve the provision of IT storage systems, mailing lists, contact databases and the undertaking and reviewing of financial transactions.
The Board and Executive Team of Rutherford Health plc provide the corporate and quality governance, and central functions in relation to Rutherford Diagnostics Limited. This means that certain personal data obtained by us may be shared with Rutherford Health for the purposes of accounting and invoicing, auditing, human resources functions. In addition, subsidiary companies within the Rutherford Health Group include:
- Rutherford Estates Limited
- Rutherford Cancer Care Limited
- Rutherford Innovations Limited
Personal data collected by us may be required to be shared within our company subsidiaries if the purpose of collecting the data warrants the sharing to take place, for example, opportunities for collaboration may involve our services within the wider group.
Where we, or third party companies who we engage with, ‘process’ data (transfer, store) outside of the European Economic Area (“EEA”) we ensure that appropriate security checks are undertaken and that processing is in line with the data protection legislation.
Where data is processed outside of the EEA, it will be processed by staff operating outside the EEA who work for us or for third party companies engaged by us.
How we protect the security and confidentiality of your personal data
All employees are bound by contractual confidentiality clauses in employment contracts, receive mandatory training in data protection and confidentiality and process information under the direction of mandatory policies and procedures. Audits are carried out to ensure information recorded and created is accurate, up to date and kept securely.
We would like to keep you updated on the services and treatments that we provide but will only do this where you have opted in to receive such updates. When you access our services you are provided with an option to join our mailing list. You may also have the opportunity to opt-in through links or forms when you visit our website or by completing forms when you attend events. When you opt-in to receive information on our services, should you wish to stop receiving updates you can contact us and we will remove you from any mailing lists.
We never share or sell your data to external marketing companies.
Your rights under data protection legislation
The right to be informed
You have the right to be informed of how we process your personal data. We inform you of how we process your data, through the provision of this Privacy Notice, and in notices, we provide when you register for our services. We also inform you of other types of processing such as call recording or CCTV through notices and recorded messages. You can also contact us at any time to query any aspect of the processing of your data.
The right to access your personal information
You may contact us to request details of the type of processing we carry out on your personal data and a copy of the personal information which we hold about you. This is known as a Subject Access Request and must be submitted in writing to the Data Protection Officer at the address shown below.
We must process your request within one month of receipt of the request, however, if it is a complex request we may need to extend this by up to two months. You will be kept informed if an extension is required.
The right to rectification
You have the right to have incorrect personal information amended or completed if it is incomplete.
The right to erasure
You have the right to request that we delete the personal information we hold about you. However, there are exceptions to this and in certain circumstances, we may not be able to comply with your request. For example, the right of erasure of personal information does not apply to special category data where it is being processed for medical diagnosis and the provision of health and social care.
The right to restrict processing
You have the right to limit the way we use your personal information in certain circumstances. For example, this may occur if:
- you have asked us to amend inaccurate information or
- you feel that your information has been unlawfully processed
The right to data portability
Where we are processing personal data purely in electronic format, there may be circumstances where you can request to have your data transferred (if technically possible) to another individual or organisation of your choice in an electronic format.
The right to object
You have the right to object to the processing of your personal data in certain circumstances:
You can ask us to stop processing your personal data for direct marketing at any time. When we receive an objection to processing for direct marketing we must stop processing your data for this purpose.
You have the right to object to us processing your personal data for our legitimate interests (i.e. our business reasons) however you must give specific reasons to why you are objecting. We may not be able to meet your request depending on the reasons stated.
Automatic decision-making and profiling
We do not use automated decision-making tools or profiling when you provide us with personal information.
Personal data collected when using our website
When you visit our website, we automatically collect the following information:
- Technical information, including the Internet protocol (IP) address used to connect your computer to the internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform
- Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page
We use Google Analytics cookies to collect information about how visitors use our site. Cookies are small files which are stored on a user’s computer, designed to hold a small amount of data specific to a particular user and website. Using cookies allows us to collect information about how visitors use our website.
Google Analytics sets four types of first-party cookies automatically:
These cookies track the number of visitors to our website, how long the website sessions last, and note where the website visitor arrived from. The information collected by these cookies is anonymised and visitors cannot be identified. We will use this information to write reports and make improvements to the website.
You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
How long do we keep personal data for?
Under data protection legislation personal data must only be processed for as long as it is necessary and not kept for an excessive period of time. How long we keep your personal data will depend on our relationship with you (i.e. the purpose for which we have obtained your personal data).
We retain personal data to provide our services, stay in contact with you and to comply with applicable laws, regulations and professional obligations that we are subject to.
Where personal data is received as part of a contract, clauses within the contract will specify the retention period and return or deletion of personal data as relevant to each contract.
How to contact us
You can contact the Data Protection Officer by writing to us at:
The Data Protection Officer
Rutherford Health plc
15 Bridge St, Hereford, HR4 9DF
How to complain
If you believe that your information has been unfairly or unlawfully used, you have the right to contact the Information Commissioner’s Office at the address below:
Information Commissioner’s Office
Tel: 0303 123 1113 (local rate) or 01625 545 745
This Privacy Notice was updated on 20th May 2020