Last updated on 22nd August 2021
Rutherford Diagnostics Ltd understands the importance of protecting and respecting your online privacy. This Privacy Notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us in accordance with UK data protection legislation.
We may need to update this Privacy Notice from time to time and where we are already processing your personal data, we will notify you of any significant changes.
Who we are
Rutherford Diagnostics Limited is a company registered in England and Wales (company number 10844984) and is a fully owned subsidiary of Rutherford Health plc (a company registered in England and Wales, company number 09420705).
Where the term ‘we’ or ‘us’ is used, this relates to Rutherford Diagnostics Limited.
Our nominated representative, for the purpose of the Data Protection Act, is our Data Protection Officer whose contact details can be found at the end of this notice.
At Rutherford Diagnostics, we believe the provision of optimal, cost-effective diagnostic services and investing in new and developing technologies is an important step forward in a future where people will live well for longer. By utilising and developing innovative technologies, such as genomic sequencing and state of the art diagnostics to reduce levels of acute illness and support good health, Rutherford Diagnostics will revolutionise healthcare.
We will fund, deliver and maintain state-of-the-art diagnostic equipment housed in modern and well-designed facilities, and will seek out and will be open to investing in commonly unattainable and novel diagnostic technologies that will benefit the nation’s health outcomes.
Processing personal data in line with data protection legislation
We will process your personal data in line with data protection legislation as follows:
- We will always process personal data lawfully and fairly and in a transparent manner. We will ensure this Privacy Notice is available on our website and, where relevant to your relationship with us, ensure information is included in contracts, application forms and agreements where our relationship with you requires us to process personal data.
- We will ensure that whenever we collect personal data it is adequate, relevant, and not excessive in relation to the purpose for which it is being processed.
- We will ensure information processed is accurate and where necessary kept up to date
- We will ensure that your personal data is kept in a form that allows us to identify you for our business purposes but is not kept in an identifiable format for longer than is needed.
- We will ensure that the processing of your personal data is done so to ensure the security and confidentiality of the data. This means that we have policies, procedures, and training in place to ensure robust security controls are applied to the processing of your data.
What is personal data?
The term ‘personal data’ relates to any information that can or has the potential to, identify you as an individual such as your name, address, e-mail address, phone number. It also includes less obvious information such as identification numbers, electronic location data and other online identifiers.
Certain types of personal data are referred to in data protection legislation as ‘special categories’ of data. This is because they are classed as more sensitive and require additional protection.
Such information includes information about an individual’s:
- Ethnic origin
- Trade union membership
- Biometrics (where used for identification purposes)
- Sex life
- Sexual orientation
What personal data do we collect?
We collect personal data and special category data (where relevant). The type and amount of personal data we collect will depend on our relationship with you. Under data protection legislation we must always have a lawful basis for using personal data and special category data. The data we collect and legal purpose for doing so, is as follows:
For this Privacy Notice, the following legal basis applies to the processing of your personal information (including health data):
Article 6 GDPR
- (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes (The consent basis)
- (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract) (The contract basis)
- (c) processing is necessary for compliance with a legal obligation to which the controller is subject. (The legal obligation basis)
- (d) processing is necessary for compliance with a legal obligation to which the controller is subject. (The vital interest basis)
- (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (The public interest basis)
- (f) processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party, expect where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (The legitimate interest basis)
Article 9 GDPR
- (a) the data subject has given explicit consent to the processing of those personal data for or more specified purposes, except where domestic law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject. (The consent basis)
- (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. (The vital interest basis)
- (f) processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity; (The legal claims basis)
- (h) processing is necessary for the purpose of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3; (The healthcare basis)
1. Making enquiries about our services
When you contact us in person, by telephone, email, fax, letter, social media or through completion of a website enquiry form, to enquire about the services we offer, we will only collect personal data that is necessary to enable us to respond to your enquiry. The types of information we will routinely collect include your name, address, contact details, and health information. This data will be processed on the contract basis where it relates to personal data, and the healthcare basis where is relates to your health data.
During the enquiries process we may record our telephone calls for quality and training purposes. This will be communicated to you prior to each call, and you will have the option to request that the call recording function is disabled. When recording calls made to the national enquires line, we will rely on the legitimate Interests basis for processing your personal data. Where the recording involves special category data we will only do so where we can rely on the consent basis for processing.
If you provide personal information about another individual, you must inform them of this Privacy Notice. We will never relay or discuss personal information we hold about an individual to another individual without their consent or where evidence is provided of a lawful basis i.e., power of attorney.
When a referral is received, personal data is provided to us by the referring source. The sources from where we receive information may include, and are not limited to:
- Clinicians (including their medical secretaries)
- Hospital and healthcare provider establishments
- Commissioning bodies (including NHS boards from around the UK)
- Allied Health Professionals
Information that may be received may include your personal contact details, your medical history conditions. As part of the booking process we may also request and receive scans and images from other healthcare providers. Failure to provide this type of data may result in the inability to provide our services.
When a referral is made to us by yourself, or a third-party provider, we will enter into an agreement for services with you will therefore be relying on the contract basis for processing. If you have been referred by the NHS and no contract is in place with you directly, we will be acting on behalf of the NHS in these circumstances and will rely on the public Interest basis for processing your personal data.
Where all referrals include data relating to your health, we will also rely on the healthcare basis for processing.
3. Treatment and Services
Any personal data that is captured during the delivery of a service is captured within your health record. The type of information collected and recorded in your health record may include and not limited to:
- Personal data in relation to; your name, address, date of birth, ethnicity, contact details and next of kin.
- Medical information including images.
- personal information that is required to prepare for, and to enter, into a contract for services. This may include payment method information, information from your insurers, agency, or commissioning body (where relevant).
Personal data that is processed for the delivery of a Services will be processed under the provision of entering into an agreement with you and we will therefore be relying on the contract basis for processing.
If you are receiving a service at the direction of the NHS and no contract is in place with you directly, we will be acting on behalf of the NHS in these circumstances and will rely on the public Interest basis for processing your personal data.
For data relating to your health, we will also rely on the healthcare basis for processing.
We use CCTV cameras in the centres to protect the safety of our visitors, premises, and our car parks. Personal images may be captured during recording. Signs are clearly displayed to inform visitors of CCTV recordings, and recording will only be undertaken in public areas such as car parks and entrances to centres. All recordings are held securely and deleted after 31 days in line with our retention policy.
When capturing images using CCTV, we will process this data on the Legitimate Interests basis.
5. Legal Obligations
As a provider of health care services, we are required to comply with a range of legal and regulatory requirements for the treatments and services we provide. These include and are not limited to;
- There may be occasions where complaints or claims are made against us or an independent medical practitioner. It is therefore important that accurate information has been recorded about the treatment provided to a patient as this may be required as part of investigating the complaint or claim.
- In addition, various bodies regulate healthcare providers who have the legal powers to require information to be disclosed to them about patients as part of their audit processes. Where such access is given the information is reviewed under strict confidentiality requirements.
For personal data processed in these circumstances we will be relying on the Legal obligation basis for processing. In these scenarios only the minimum required data will be processed. If it is a requirement for health data to be processed, then this will be done so on the healthcare basis for processing.
There may be situations where complaints or claims are made against us a company or against our independent medical practitioners and where the processing of special category data is necessary to respond to those complaints or claims. The lawful purpose we would rely on for special category data in these circumstances is the legal claims basis.
6. Research & Development
The processing of your personal data by us for research and development is in our commercial interests as a provider of healthcare services and our aim to contribute to broader societal benefits. The processing of your personal data for research and development enables us to provide you with an improved healthcare service to you, which is in our and your interests. Any information shared for these purposes will be fully anonymised unless you have given us your consent to provide “identifiable” personal data, in which case we will rely on the consent basis for sharing the personal data. There may be circumstances where we require your consent such as involvement in specific research projects. In such circumstances we will ensure we provide you with full information to allow you to make an informed decision and will only process your personal data in this way where we can rely on the explicit consent Basis for processing.
We support and participate in audit and research programs to enable the analysis and measurement of the effectiveness of treatment. Therefore, information gathered as part of the provision of treatments will be reviewed by those responsible for internal audit programs and, also reviewed by external regulating bodies such as the Care Quality Commission, during site inspections, and who are bound by confidentiality requirements. In such circumstances we will be relying on the legitimate interests basis for processing.
We may also share anonymised and aggregated patient information with organisations such as the National Institute for Clinical Excellence, and research partners for research or statistical purposes.
7. Patient Images for teaching, training, and research
Images that are acquired during the patient pathway are stored within our systems and patient record. We record this information so that it is available each time we see you and so that it is available to the clinicians responsible for your care.
These images may also be used for reasons other than your direct personal care and can be crucial for maintaining records on patient safety, for planning future services and teaching. This information can also lead to exciting research discoveries that may benefit future generations. When this is required, we ensure that you cannot be identified from these images, and all personal data is anonymised.
We do not require a legal basis for this processing as all data is anonymised. Where further information is required and the data is no longer anonymous, we will only continue to process under the consent basis.
It is important to us that we monitor the accuracy and quality of treatment we provide. We undertake quality audits to ensure high standards of quality and safety in our health care provision. Therefore, personal data collected when you access our services may be reviewed by:
- Internal auditors who will assess that information has been collected and recorded accurately
- External auditors such as regulating bodies to check that accurate information has been recorded (where such audits are carried out, strict confidentiality guidelines are adhered to)
- Insurance companies, where you have accessed our services under your insurance policy – specialist clinical roles within the insurance company may request certain data to check that we are providing a high-quality clinical service for their customers
- Commissioning bodies such as the NHS where we provide a contract for clinical services, may undertake audits on the quality of our care
For personal data processed in these circumstances we will be relying on the legal obligation basis for processing. In these scenarios only the minimum required data will be processed. If it is a requirement for health data to be processed, then this will be done so on the healthcare basis for processing.
Who your information is shared with
We employ a range of healthcare professionals to deliver our services, including radiographers, medical advisors, and a range of administrative roles.
At all times, healthcare professionals are responsible for complying with data protection legislation when handling your personal data, including any processing carried out by their private secretaries.
They are bound by our confidentiality and security policies, and applicable medical confidentiality guidelines, as well as their own codes of practice issued by their respective professional and regulating bodies which include the Health and Care Professions Council, General Medical Council, Nursing and Midwifery Council.
Disclosures within the company
Rutherford Diagnostics Limited is a subsidiary of Rutherford Health plc, a company based in the UK. Rutherford Health plc provides central resources for Rutherford Diagnostics Limited including finance, governance, internal auditing, senior management, marketing, health and safety and business development.
Types of processing of personal data that is undertaken by Rutherford Health plc can be found at www.rutherfordhealth.co.uk.
Access to your personal data and your health information is strictly controlled to ensure access is only allowed to those roles that require access and is in line with the lawful processes described in this policy. Sharing of your personal data with Rutherford Health limited will usually be for company administrative purposes and in such circumstances, we will rely on The Legitimate Interests Basis for sharing the information. Our specific legitimate interests are that it is commercially beneficial to have centralised responsibility for accounts and that it is beneficial to review matters and conduct audits across the group to ensure consistency of approach and standards.
Where special category personal data is shared this will be done based on The Legal Claims Basis, The Public Health Basis, The Health Care Basis or The Scientific Research Basis. If none of these legal bases are applicable, we will seek your Express Consent before sharing the information.
Sharing with other Healthcare Organisations
For your benefit, we may need to share your personal data as part of your treatment and care with other healthcare organisations e.g. your GP, NHS, ambulance services, and organisations who provide support services to us (diagnostic services, wellbeing services etc.).
Any sharing of personal data will only be undertaken where it is deemed ‘necessary’ in relation, where such data sharing is undertaken, contracts and data sharing agreements will be in place with the third party which stipulate the confidentiality and security and use of data shared.
Where you access services through your insurance policies, we will liaise with your insurer over your treatment and care and may be required to disclose information for the purpose of quality assurance
We will rely on The Legitimate Interests Basis for sharing the information. Our specific legitimate interests are that it is in your interests and ours that you have complete healthcare provision and that sharing with other health professionals will allow a consistent approach and to ensure that treatments are compatible.
Where special category personal data is shared this will be done based on The Public Health Basis, The Health Care Basis or The Scientific Research Basis. If none of these legal bases are applicable, we will seek your Express Consent before sharing the information.
We may also share your personal information with family or friends that you have given us as emergency contacts. We will rely on The Consent Basis and/or Explicit Consent Basis for sharing our personal information in these circumstances.
Within the day to day running of our business, we may use third party organisations to support the essential delivery of services. These may be
- IT service providers
- Storage & shredding companies
- Debt management companies.
- Translation services
- Transport providers
Where third party organisations are used, who may have access to your personal data, we ensure that a contract is in place and security checks are undertaken.
We may also be required to share personal information to prevent fraud and to assist the police in the prevention and detection of a crime.
We may ask to use your personal information for the purpose of sharing your health journey via our Social Media accounts for publications. This will only be processed under explicit consent and supported with a contract explaining the use of your data.
Where we, or third-party companies who we engage with, ‘process’ data (transfer, store) outside of the of the UK, we ensure that appropriate security checks are undertaken, and that processing is in line with the data protection legislation.
Where data is processed outside of the UK, it will be processed by staff operating outside the UK who work for us or for third party companies engaged by us.
How we communicate with you
We may communicate with you by letter, telephone, email, text, or SMS. We will ask you which method of communication you prefer. It is important that you provide us with accurate information so that we can ensure the information we relay to you is done so in a confidential manner.
Where you request to receive all your information by email we may not be able to guarantee the security of information sent over the internet but will discuss with you the options for password protecting and encryption of confidential health information that are sent by email.
It is important that we review and assess the quality of our services. Therefore, where you have accessed our services, we may contact you to ask you to complete a patient satisfaction survey.
It is also important that we monitor the outcomes of treatments provided, this is known as Patient Reported Outcome Measures (PROMS). To monitor outcomes, we may ask you to complete questionnaires relating to your health and quality of life or be interviewed over a period of time. We will talk to you about this during your treatment.
How we protect the security and confidentiality of your personal data
All employees are bound by contractual confidentiality clauses in employment contracts, receive mandatory training in data protection and confidentiality and process information under the direction of mandatory policies and procedures. Audits are carried out to ensure information recorded and created is accurate, up to date and kept securely.
Where information is shared with third-party organisations, due diligence is undertaken which include security assessments, and contracts and data sharing agreements are in place.
Business to Customer:
We would like to keep you updated on the services and treatments that we provide but will only do so where you have opted in to receive such updates. When you access our services, you are provided with an option to join our mailing list. You may also have the opportunity to opt-in through links or forms when you visit our website or by completing forms when you attend events. When you opt-in to receive information on our services, should you wish to stop receiving updates you can either contact us and we will remove you from any mailing lists, or use the opt-out link which are embedded within our communications to you.
Business to Business:
To promote the Rutherford Direct brand and product, we may conduct direct marketing campaigns to target corporate clients who may wish to purchase our product as an employee benefit. These campaigns will be conducted by either using prior consent from the individual or using a third-party mailing list. Where ‘Legitimate Interests’ is relied upon as a legal basis for processing, the individual reserves the right to opt-out at any time. Any direct marketing conducted under ‘Legitimate interests’ will only be used in relation to business-to-business customers
We never share or sell your data to external marketing companies.
National Data Opt Out initiative
The national data opt-out initiative allows patients in England to opt out of their data being used for research and planning purposes. For this Privacy Notice, this relates to NHS patients who receive treatment and/or services at a Rutherford Cancer Centre, where you have been referred by the NHS. You can view or change your national data opt-out choice by visiting the following link:
or by calling 0300 303 5678.
See https://digital.nhs.uk/services/national-data-opt-out-programme for further information. To understand how we use your data for planning and research purposes see the table in this notice.
Your rights under data protection legislation
The right to be informed
You have the right to be informed of how we process your personal data. We inform you of how we process your data, through the provision of this Privacy Notice, and in notices, we provide when you register for our services. We also inform you of other types of processing such as call recording or CCTV through notices and recorded messages. You can also contact us at any time to query any aspect of the processing of your data.
The right to access your personal information
You may contact us to request details of the type of processing we carry out on your personal data and a copy of the personal information which we hold about you. This is known as a Subject Access Request and must be submitted in writing to the Data Protection Officer at the address shown below.
We must process your request within one month of receipt of the request, however, if it is a complex request we may need to extend this by up to two months. You will be kept informed if an extension is required.
The right to rectification
You have the right to have incorrect personal information amended or completed if it is incomplete.
The right to erasure
You have the right to request that we delete the personal information we hold about you. However, there are exceptions to this and in certain circumstances, we may not be able to comply with your request. For example, the right of erasure of personal information does not apply to special category data where it is being processed for medical diagnosis and the provision of health and social care.
The right to restrict processing
You have the right to limit the way we use your personal information in certain circumstances. For example, this may occur if:
- you have asked us to amend inaccurate information or
- you feel that your information has been unlawfully processed
The right to data portability
Where we are processing personal data purely in electronic format, there may be circumstances where you can request to have your data transferred (if technically possible) to another individual or organisation of your choice in an electronic format.
The right to object
You have the right to object to the processing of your personal data in certain circumstances:
You can ask us to stop processing your personal data for direct marketing at any time. When we receive an objection to processing for direct marketing we must stop processing your data for this purpose.
You have the right to object to us processing your personal data for our legitimate interests (i.e. our business reasons) however you must give specific reasons to why you are objecting. We may not be able to meet your request depending on the reasons stated.
Automatic decision-making and profiling
We do not use automated decision-making tools or profiling when you provide us with personal information.
Personal data collected when using our website
When you visit our website, we automatically collect the following information:
- Technical information, including the Internet protocol (IP) address used to connect your computer to the internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform
- Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page
We also use 3rd party cookies to identify your IP address, which is then matched against public and propriety IP address databases to provide us with information about your visit. This information may identify the organisation to whom the IP address is registered but not individuals, except for limited cases where single person companies include personal data in public records. We use this to help us identity Companies who may be interested in our product.
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
How long do we keep personal data for?
Under data protection legislation personal data must only be processed for as long as it is necessary and not kept for an excessive period. The following table provides information on the retention periods for the type of data routinely processed at a Rutherford Diagnostic Centre. To ensure we can always provide the highest level of care and to ensure that we can monitor outcomes and conditions over a long period of time it is fundamental that certain information about individuals’ health is maintained so that it can be referred to at a later date. Please note, this does contain all data that we hold, however further information is available on request.
|Type of record||Retention period|
|Imaging Records||8 years|
|CCTV (which is installed in areas such as car park, waiting room, clinical corridors)||Maximum of 31 days|
|Complaints file||30 years|
|Litigation file||30 years|
|Complaints file||10 years|
|Litigation records||10 years|
How to contact us
You can contact the Data Protection Officer by writing to us at:
The Data Protection Office
Rutherford Health plc
Suite 4 Penn House
9-10 Broad Street
How to complain
If you believe that your information has been unfairly or unlawfully used, you have the right to contact the Information Commissioner’s Office at the address below:
Information Commissioner’s Office
Tel: 0303 123 1113 (local rate) or 01625 545 745
Previous versions of this privacy notice are available on request.