Your Information, What You Need to Know
The services we provide can be categorised as:
- JACE Medical offers a range of patient focused services to the public, NHS and private sector. We operate a clinic with treatment rooms for clinical disciplines including COVID-19 testing, dietician services, dermatology, blood testing, endoscopy and continue to grow.
JACE Medical is a registered “Data Controller). Information Commissioner Office (ICO) Registration No: ZB289886
This notice explains how we use and share your information. Information may be collected on paper, or online forms, email, CCTV or by a member of staff.
We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law.
Data Controller Name: J.J.A.C.E Ltd
Address: Unit 1 & 2, The Vale Centre, Clooney Road, Greysteel, Londonderry
Telephone Number: 0333 40 41 999
Data Protection Officer: Registered Manager
What is UK GDPR?
The UK General Data Protection Regulation (GDPR) is a regulation intended to strengthen and unify data protection for all individuals. At JACE Medical, we are committed to ensuring the protection of your personal information. In accordance with UK GDPR guidelines, our aim is to have safeguards in place to protect your privacy and ensure that you feel confident about the security of the personal data which you provide to us.
Why are you processing my personal information?
- This privacy notice is to let you know how our clinic will look after your personal information. If we provide you with a clinical or nursing service, then we will use your personal information in the ways set out in this privacy notice. Under Data Protection Laws, we can only process your personal information where we have a proper reason for doing so, such as:
- It is in our legitimate interests to do so – for example a legitimate interest is when we have a reason to use your information to enable your consultant to provide treatment or care and order medical tests
- We are required to do so by law i.e a legal obligation
- You have entered a contract with us for a service – for example processing credit card payment
- In the public interest – where this has a clear basis in law
- Vital interests – for example protection of life in a medical emergency
What categories of personal data are we processing?
|Types of personal data
|Name, home address, gender, age, date of birth next of kin details, GP details, telephone numbers, health and social number, existing medical conditions, presenting medical condition, email address, bank details, insurance policy number, CCTV
|Special categories of personal data
Certain categories of personal data have additional protection under the GDPR. The categories are health, criminal convictions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric or data concerning sex life or sexual orientation.
We will collect varying levels of data that may fall under this depending on what service we are providing to you.
JACE Medical use information to support and monitor our services to enable the delivery of high-quality healthcare. This type of information will usually be provided in an aggregate or anonymised form, so that we cannot identify an individual.
JACE Medical may ask for and hold various details of personal information regarding yourself which will be used to aid in the delivery of appropriate care and treatment. Personal data is any information that is identifiable as belonging to you.
JACE Medical will request personal data from patients attending the clinic for an outpatient appointment, for the sole purpose of creating a medical file on the individual patient. The personal data held on file will be shared with the Consultant with whom the patient is attending.
When relevant, the Medical Insurance Company with whom the patient is insured The Private Healthcare Information Network – we have a legal requirement under CMA Private Healthcare Market Investigation Order 2014 to provide data on some theatre procedures – when you attend the clinic, you have the option of anonymising this.
In addition we may also ask and retain data for the following:
- All details relating to any previous, current or planned treatment and care, including all notes and reports relating to your health
- All healthcare results such as X-ray, CT or MRI results, blood tests etc.
- Marketing preferences relating to group services and products
- Education, training, mostly frequently of staff and clinicians
- Employment details, for example for those that work for us either directly or are commissioned by us to provide a service
- Responses to surveys, where individuals have responded to surveys about healthcare issues, service levels, training courses or other group company activities
- User IP addresses in circumstances where they have not been deleted, clipped or anonymised
- Payment information including card details
- Any further information that you choose to tell us
Further health related information such as whether or not you have a disability or other health conditions, such as allergies. Vaccination status.
Where do you get my personal data from?
- Information directly given to us by yourself by email, phone, letter etc.
- Information provided by a parent, carer or guardian
- Information provided from healthcare professionals such as treating consultants, your GP, dentist or physiotherapist
- Information received from Health and Social Care Trusts •Information provided by an employer, insurer
- Marketing opt ins
- Completed feedback surveys
- Registration or booking online for any of our or services.
- Debt collection agencies or government agencies
- Use or view our website via your browser’s cookies.
In order for us to provide your health assessment, care and/or treatment, we ask that you provide as much information to us as you can.
You are of course free not to disclose information to us and you should only provide such information as you feel comfortable doing so. Please bear in mind, however, that if you are only willing to share limited information, we may not be able to provide you with a full health assessment or the full range of care and treatment (as applicable), and that could mean being unable to see you at the clinic (since we may not be able to share your information in the way required in order to provide your health assessment, care or treatment, or run our business (for example, billing) and comply with our legal obligations).
Why do we collect data and who are the recipients of that data?
We collect data to provide details to the Consultant in charge of your care and to enable the Consultant to provide continuing care via your General Practitioner. Financial and health insurance data is collected for the purposes of payment of your medical bills.
How long will the data be retained?
Data will not be retained for any longer than is required. We will retain your medical records for 7-10 years, as required by our insurance provider and as required by regulations (Access to Health Records Legislation (NI) Order 1993 and Records Management – Good Management Good Records. DHSSPS revised October 2015).
The information about you that we hold and use is held securely and stored in paper format and on our secure servers. We retain your records for certain periods (depending on the particular type of record) under our retention of records policy. This is to ensure that information is properly managed and is available whenever and wherever there is a justified need for that information, including to support patient care and continuity of care; to support evidence-based clinical practice and to assist clinical and other audits; to support our legitimate interests, and to meet legal requirements. Your records may be transferred to an off-site storage provider. Your records may not be retained in hard copy form where a digital copy exists. If you would like more detailed information on this, please contact our Data Protection Officer.
Individual rights under GDPR
You have a number of rights under the Data Protection Laws in relation to the way we process your personal data, which are set out below.
- Right to be Informed – This is provided through the privacy notice on our website and in the patient information file in the waiting room.
- Right of Access – You have the right to access your personal data and supplementary information. We will aim to respond to any request received from you within one month from your request, although this may be extended in some circumstances in line with Data Protection Laws. If you wish to obtain access to your file, you must write to us at the address below. Access to your data will usually be provided free of charge, although in certain circumstances we may make a small charge where we are entitled to do so under Data Protection Laws.
- Right to Rectification – The right to ask us to correct your information if you think the information that we hold about you is wrong or incomplete. We will respond within one month.
- Right to Erasure – The right to object to our use of your information, or to ask us to delete, remove or stop keeping it if there is no need for us to keep it. This is known as the ‘right to object’, the ‘right to erasure’ or the ‘right to be forgotten’. There may however be legal or regulatory reasons why we need to keep or use your information.
- Right to Restrict processing – We may sometimes be able to restrict the use of your information so that it is only used for legal claims or to exercise legal rights. In these situations, we would not use or share your information while it is restricted.
- Right to Data Portability – The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
- Right to Object – Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority. There is a contractual requirement when patients attend JACE Medical for their personal data to be processed in order to provide medical care and treatment. You may object to the use of your personal data being given to the Public Healthcare Information Network – this can be anonymised and is provided for in the theatre admission process.
- Right not to be evaluated on the basis of automated processing –Patients who attend JACE Medical will not be evaluated on the basis of automated processing nor is any decision making automated.
How your information and data is used?
- To ensure that you receive safe, effective and appropriate treatment
- To assist in decision making surrounding your care
- To ensure effective working with other organisations e.g. the Health and Social Care Trusts, who may be involved in your care
- To ensure that our services meet your current and any future needs
- To ensure that the care we provide is to the highest standard and can be reviewed as necessary
- To provide you with any goods and/or services that have been ordered
- To contact you with regards to any enquires that have been made
- Marketing activities for example to send you other JACE Medical information such as courses, newsletters or product releases that we feel may be of interest to you
- For Research and Audit purposes
- To prepare statistics on performance
- In order to train Healthcare Professionals and support staff
- To help us to establish, exercise, or defend legal claims
- To collect payment
Who will your information and data be shared with?
To enable us to fulfil our duties and ensure that the best care possible is provide we will need to share information about you with others. We may need to share your information with a range of other parties including Health and Social care organisations and regulatory bodies. You may be contacted by any one of these organisations for a specific reason, the organisation will have a duty to be able to tell you why they are contacting you. Where appropriate and in accordance with local laws and requirements, we may share your personal data, in various ways and for various reasons, with the following categories of organisations:
- Regulators – Regulation Quality and Improvement Authority (RQIA), Medicines and Healthcare products Regulatory Agency (MPRA)
- Commissioning bodies – Department of Health (DOH), Health and Safety Executive (NI)
- Government agencies – DVLA, HMRC, PSNI
- National databases
- External companies necessary for the delivery of health assessment, treatment and care such as laboratories for blood or tissue testing and blood banks
- Other third-party service providers who perform functions and tasks on our behalf (including debt collection, external consultants, transcription services, business associates and professional advisers such as lawyers, auditors and accountants, technical support functions and IT consultants)
- Card payment processing
- Third-party outsourced HR functions
We will share your medical information with those involved in your health assessment, care or treatment (such as Consultants and nurses for medical purposes (including the provision of health assessments. We try to ensure there is a single patient record for each patient who is seen at our facilities whether as an outpatient or day case and we ask consultants working at our facilities to ensure a copy of their records, including consultation records, is included in each patient’s records at the hospital. We may also share relevant parts of your medical information with your GP, NHS hospitals, other private hospitals and the organisation paying for your treatment (for example your insurance company, embassy, employer or NHS commissioner). For our health assessment clients who come to us through their employer’s health assessment benefit scheme, please be assured that we will not share your medical information with your employer.
We may share information about you with anyone you have asked us to communicate with or whose details you have provided as an emergency contact (such as your next of kin). Where sharing patient information is shared with other organisations, an information sharing agreement will be drawn up to ensure that all information that is shared is done so in a way which complies with all relevant legislation.
Where you have provided consent
You may choose to opt in to receiving information about other services JACE Medical offers by social media, post or email. In this case, your consent or decision to opt in is entirely voluntary. Should you decide not to consent or opt in or should you change your mind at any time, you do not need to give a reason and your medical care and legal rights will not be affected. You can opt-out by clicking on the ‘unsubscribe’ button in all our marketing communications. Apart from this limited instance, we do not hold or share information about you based on (or at least solely on) consent.
Security of your Information
- All JACE Medical staff have contractual obligations of confidentiality, enforceable through disciplinary procedurals
- Everyone working for JACE Medical is subject to the common law duty of confidentiality
- Staff are granted access to personal information as required to do their job on a day-to-day basis. Access is provided in accordance with relevant internal processes and appropriately recorded
– JACE Medical has a Data Protection Officer who provides advice and guidance in the area of protection and compliance with accountability under GDPR
– All staff are required to undertake information governance training on a regular basis
Permission and Privacy
JACE Medical consultants and other health professionals caring for you keep records about your health and any treatment and care you receive. These help ensure you receive the best possible care from JACE Medical. They may be written down (manual records) or held on computer.
All information in our records will be kept confidential in line with the Data Protection Act and other regulations and personal information will not be given to anyone else without your permission. If you would like copies of your medical notes created while attending JACE Medical, you need to fill in a request form which can be provided by emailing email@example.com.
All patients/clients should be given enough information about their medical condition, proposed treatments, possible alternatives and any substantial risks to allow them to make a balanced judgement as to whether to give or withhold permission for treatment.
One of the basic principles of health care is that patients/clients have the right to give or withhold consent before being examined or treated. While this is a general principle, there are circumstances that justify examination or treatment without permission. Wherever possible staff will respect patient/client wishes at all times.
The medical and nursing staff will give you as much information as possible about your medical condition and treatment. Please ask if you are unsure about anything.
What is GDPR?
GDPR, which stands for General Data Protection Regulation, is a comprehensive set of regulations designed to enhance and unify data protection practices for individuals. At JACE Private Clinic, we prioritise the security and privacy of your personal information. In adherence to GDPR guidelines, we have implemented stringent safeguards to ensure the confidentiality of the data you provide us, instilling confidence in the protection of your privacy.
Data Protection Privacy Notice
This privacy notice outlines how our clinic handles and safeguards your personal information. If you receive medical or nursing services from us, we will utilise your personal information as described in this notice.
Under Data Protection Laws, we are only authorised to process your personal information when there is a valid reason, including:
- Legitimate interests: We may use your information to enable your consultant to deliver treatment, provide care, or order medical tests, among other legitimate purposes.
- Legal obligations: In certain situations, we are obligated by law to process your personal information.
- Contractual agreement: If you have entered into a contract with us for a service, we may process your information, such as processing credit card payments.
- Public interest: When processing your information aligns with a clear legal basis in the public interest.
- Vital interests: For example, in a medical emergency where it is necessary to protect a person’s life.
What personal data do we collect?
At JACE Private Clinic, we gather information to support and monitor our services in order to provide high-quality healthcare. This information is typically collected in an aggregated or anonymised form, ensuring that individuals cannot be personally identified.
We may request and retain various personal details about you, which will be used to facilitate appropriate care and treatment. Personal data includes any information that can be attributed to you as an individual.
When attending our clinic for an outpatient appointment, we will ask for personal data solely for the purpose of creating a medical file specific to the individual patient. This personal data will be shared with the attending consultant. Additionally, when relevant, we may share data with the patient’s Medical Insurance Company, and in compliance with the CMA Private Healthcare Market Investigation Order 2014, we may provide certain theatre procedure data to the Private Healthcare Information Network. Please note that you have the option to anonymize this data during your visit to the clinic.
At JACE Private Clinic, we collect personal data which may include the following:
- Patient’s name
- Date of birth
- Insurance Policy Number
- Contact telephone number
- GP name & address
- Private health insurance company, account number, and authorisation code
- Medical records of your appointment at JACE Private Clinic
- Bank details
- Email address
Additionally, we may also request and retain data related to the following:
- Details of previous, current, or planned treatment and care, including health notes and reports
- Healthcare results such as X-ray, CT or MRI results, blood tests, etc.
- Marketing preferences for group services and products
- Education and training information, particularly for clinicians such as GPs
- Employment details for individuals working directly or commissioned to provide services
- Survey responses on healthcare issues, service levels, training courses, or other company activities
- User IP addresses, unless deleted, clipped, or anonymised
- Payment information, including card details
- Any additional information voluntarily shared by you
- In certain circumstances, the following may also be collected:
- Sensitive personal data such as race, ethnic origin, political and religious beliefs, sex life, sexual orientation, genetic data, and biometric data
- Further health-related information, such as disability status, health conditions, allergies, and vaccination status
The information and data mentioned above are collected through various means, including:
- Directly provided by you through email, phone, letter, etc.
- Provided by a parent, carer, or guardian
- Shared by healthcare professionals such as consultants, GPs, dentists, or physiotherapists
- Received from Northern Ireland Health and Social Care Trusts
- Provided by an employer or insurer
- Marketing opt-ins
- Completed satisfaction surveys
- Online registration or booking for our services
- Voluntary participation in customer surveys or feedback via our website or email
- Information obtained from debt collection agencies or government agencies
- Use or browsing of our website through browser cookies
To ensure we can provide the best health assessment, care, and treatment, we encourage you to provide us with as much information as possible. However, you have the freedom to choose not to disclose certain information, and you should only share what you feel comfortable with. Please note that if you provide limited information, it may affect our ability to offer a comprehensive health assessment or provide the full range of care and treatment. In such cases, we may be unable to accommodate your visit to the hospital or clinic due to the inability to share the necessary information required for assessment, care, treatment, and compliance with legal obligations, including billing and other operational requirements.
Why do we collect data and who receives it?
At JACE Private Clinic, we collect data to ensure the highest quality of care for our patients. The primary recipients of this data are the Consultant in charge of your care and your General Practitioner, who will provide continuing care. Additionally, we collect financial and health insurance data for the purpose of facilitating the payment of your medical bills.
How long will the data be retained?
We understand the importance of data privacy and follow strict guidelines regarding data retention. Your medical records will be retained for a period of 7-10 years, as required by our insurance provider and in compliance with relevant regulations. These regulations include the Access to Health Records Legislation (NI) Order 1993 and Records Management – Good Management Good Records, revised by DHSS in October 2015.
We take the security of your information seriously, and all the data we hold, and use is securely stored, both in paper format and on our secure servers. Our retention of records policy ensures that information is appropriately managed and accessible whenever and wherever it is justified and necessary, such as to support patient care, maintain continuity of care, enable evidence-based clinical practice, conduct audits, protect our legitimate interests, and meet legal requirements. In some cases, your records may be transferred to an off-site storage provider. If there is a digital copy of your records, hard copies may not be retained.
If you would like more detailed information regarding our data retention policies or have any concerns about your data, please feel free to contact our Data Protection Officer. Their contact details can be found below.
Individual rights under GDPR at JACE Private Clinic
At JACE Private Clinic, we respect your individual rights under the General Data Protection Regulation (GDPR) in relation to the processing of your personal data. We are committed to safeguarding your privacy and ensuring transparency in how we handle your information. Below are the rights you have under the Data Protection Laws:
- Right to be Informed: We provide you with information about how we process your personal data through our privacy notice, available on our website and in the patient information file located in the waiting room.
- Right of Access: You have the right to access your personal data and any supplementary information we hold about you. We strive to respond to your requests within one month, although there may be circumstances where this timeframe is extended in accordance with Data Protection Laws. To obtain access to your file, please send a written request to the address provided below. In most cases, access to your data will be provided free of charge. However, there may be instances where a small fee is applicable as permitted by Data Protection Laws.
- Right to Rectification: You have the right to request the correction of any inaccurate or incomplete information we hold about you. We will address your request within one month.
- Right to Erasure: You have the right to object to the use of your information or request its deletion, removal, or cessation of processing if there is no legitimate need for us to retain it. This right is also known as the “right to object,” the “right to erasure,” or the “right to be forgotten.” However, legal or regulatory obligations may require us to retain or use your information even if you exercise this right.
- Right to Restrict Processing: In certain situations, you may request the restriction of processing your information. This means that your data will only be used for legal claims or to exercise legal rights. While your data is restricted, we will not use or share it for other purposes.
- Right to Data Portability: You have the right to obtain and reuse your personal data for your own purposes across different services. This facilitates the transfer of your information in a commonly used, machine-readable format.
- Right to Object: You have the right to object to the processing of your personal data based on legitimate interests or the performance of a task carried out in the public interest/exercise of official authority. Please note that there is a contractual requirement for your personal data to be processed when you receive medical care and treatment at JACE Private Clinic. However, you can object to the use of your personal data being shared with the Public Healthcare Information Network, which can be anonymized and is part of the theatre admission process.
- Right not to be evaluated on the basis of automated processing: JACE Private Clinic does not evaluate patients on the basis of automated processing, and no automated decision-making is involved.
How we use your information and data:
- Ensuring that you receive safe, effective, and appropriate treatment.
- Assisting in decision-making related to your care.
- Facilitating effective collaboration with other organizations, such as Health and Social Care Trusts, involved in your care.
- Meeting your current and future healthcare needs.
- Maintaining the highest standards of care and enabling necessary reviews.
- Providing goods and/or services that have been ordered by you.
- Contacting you regarding any inquiries you have made.
- Conducting marketing activities, such as sending you information about other services, courses, newsletters, or product releases from JACE Private Clinic that may be of interest to you.
- Conducting research and audits.
- Preparing statistical reports on performance.
- Training healthcare professionals and support staff.
- Assisting in the establishment, exercise, or defence of legal claims.
- Collecting payment for services rendered.
or any queries or requests regarding your personal data, please contact us at the address provided below:
JACE Private Clinic
Unit 1 & 2 The vale Centre
We are dedicated to upholding your rights and ensuring the proper handling of your personal data in accordance with the applicable Data Protection Laws.
Who will have access to your information and data at JACE Private Clinic?
At JACE Private Clinic, we prioritise providing the best care possible, and to fulfil our responsibilities, it is necessary to share your information with relevant parties. This may include Health and Social Care organisations, regulatory bodies, and other entities involved in your treatment. These organizations may contact you for specific reasons, and they have a duty to explain the purpose of their communication.
In compliance with local laws and requirements, we may share your personal data, for various reasons, with the following categories of organizations:
- Regulators: RQIA (Regulation and Quality Improvement Authority), MHRA (Medicines and Healthcare products Regulatory Agency)
- Commissioning bodies: NHS (National Health Service), HSE (Health Service Executive)
- Government agencies: DVLA (Driver and Vehicle Licensing Agency), HMRC (Her Majesty’s Revenue and Customs), PSNI (Police Service of Northern Ireland)
- National databases: e.g., PHIN (Private Healthcare Information Network), NHS England Breast Implant Registry
Employees and associates of JACE Private Clinic (see below)
External companies essential for the delivery of health assessment, treatment, and care, such as laboratories for blood or tissue testing and blood banks.
Third-party service providers who perform tasks on our behalf, including debt collection, external consultants, transcription services, business associates, and professional advisers (such as lawyers, auditors, and accountants), technical support functions, and IT consultants
Card payment processing
Third-party outsourced IT and document storage providers
For medical purposes, we will share your medical information with healthcare professionals involved in your assessment, care, or treatment, including doctors, nurses, and physiotherapists. Some nursing staff and resident doctors may be provided by specialist staffing agencies. Consultants (such as surgeons, anaesthetists, and radiologists) and their medical secretaries also have access to relevant patient records. Our aim is to maintain a unified patient record for each individual seen at our facilities, whether as an inpatient, outpatient, or day case. We request that consultants working at our facilities include a copy of their records, including consultation records, in each patient’s hospital records.
We may also share pertinent parts of your medical information with your GP (General Practitioner), consultant, dentist, NHS hospitals, other private hospitals, and the organization responsible for funding your treatment (e.g., insurance company, embassy, employer, or NHS commissioner). Please note that if you are a health assessment client referred through your employer’s benefit scheme, we will not share your medical information with your employer.
In situations where you have specifically requested communication or provided emergency contact details (such as next of kin), we may share information about you with those individuals. Whenever patient information is shared with other organizations, an information sharing agreement will be established to ensure compliance with relevant legislation.
Consent-based sharing: If you choose to opt in, you may receive information about additional services offered by JACE Private Clinic through social media, AdWords, post, or email. Your decision to provide consent or opt in is entirely voluntary, and you can change your mind or withdraw your consent at any time without needing to provide a reason. Your medical care and legal rights will not be affected in such cases. To opt out, you can click the “unsubscribe” button in all our marketing communications. However, it is important to note that, apart from this limited instance, we do not rely solely on consent when it comes to holding or sharing information about you.
For further information, please contact JACE Private Clinic: JACE Private Clinic, The Vale Centre, Greysteel, Londonderry~Derry. BT47 3GE Tel: +44 (0) 333 40 41 999