Your privacy is important to us. This Privacy Notice explains the manner in which London International Patient Services Limited (company no. 10111760), LIPS Holdings Ltd (company no. 15181415) and its wholly-owned subsidiary, LIPS Battersea Ltd (company no. 15262656) (“LIPS Healthcare”, “we” and “us”) collects, uses, maintains, and shares information about:
visitors to our website located at Expert Private Healthcare | LIPS Healthcare (lips.org.uk)
users of our healthcare services provided at the LIPS Pharmacy or LIPS Healthcare Clinic at Battersea Power Station (“Battersea”)
customers of healthcare professionals who provide services at locations other than Battersea and who are supported by LIPS Healthcare. Such healthcare professionals use our systems to hold your personal data and manage their delivery of services to you
We handle a wide range of information about you in order to support you and your needs. This Privacy Notice provides details of the personal data we collect from you, what we do with it, how you might access it and who it might be shared with.
We do not knowingly collect the data of children. Please do not provide data to us unless you are at least 18 years old.
1. Who ‘we’ are
Data Controllers are responsible for deciding how your data is held and used, and taking care of your data.
When you visit our website or make an enquiry by email or telephone then London International Patient Services Limited is the Data Controller of your personal data
If you receive services from Battersea, then LIPS Battersea Ltd is the Data Controller of your personal data
In all other cases where you receive care from a healthcare professional supported by LIPS Healthcare, London International Patient Services Limited is the Data Controller of your personal data
When we use the words ‘LIPS Healthcare,’ ‘we’, ‘us’ or ‘our’, this refers to the relevant company as outlined above.
As a Data Controller we ensure that anyone we work with, who might need to access your data, also takes care of it and follows our rules.
2. What we do with your personal data
The purposes for which we use your personal data are dependent on whether you use our website, our Battersea services and/or are accessing services provided by a healthcare professional supported by LIPS Healthcare.
If you use our Battersea services we use your personal data for the provision our healthcare services and the performance of our contract with you.
If you are the customer of a healthcare professional supported by LIPS, we will use your personal data to provide support services to that healthcare professional. These include, maintaining your patient record, arranging appointments and dealing with payments and insurance claims.
If you use our website, we will use your personal data to ensure the smooth running of the website.
We may also use your personal data for other similar purposes, including marketing and communications, but that will only occur if we have your consent or another legal justification for doing so.
Further detail about the purposes for which we use your personal data is set out at section 5 below.
3. What personal data do we collect?
In this policy your "data" means information or pieces of information relating to you or that could allow you to be directly or indirectly identified.
When we refer to a “LIPS healthcare professional” we mean a healthcare professional who delivers services on behalf of LIPS Healthcare at Battersea or who uses LIPS Healthcare to provide administrative support.
We may collect, use, store and transfer different kinds of data about you:
People who receive services from a LIPS healthcare professional
Contact Data includes data such as your email address, telephone number and correspondence address.
Identity Data includes data such as first name, last name, username or similar identifier, date of birth and gender assigned at birth, photographs of you that you send to us for identification purposes.
Health Data includes any information you provide to us or a LIPS healthcare professional about your physical or mental health, including images, correspondence/ reports relating to your health, current medication and your GP details if you choose to provide these to us. It also includes details of your appointments.
Financial Data includes bank account and payment card details.
Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us
Profile Data includes any communications you have with us, purchases or orders made by you, your preferences, feedback and survey responses; and any information about you that we may legitimately access from social networking sites, for example, if you post about our services
Insurance Data includes information about your insurance company (if any), the extent of your cover and any claim that you make against your insurer in relation to our services
Marketing and Communications Data includes your preferences in receiving marketing from us, selected third parties and your communication preferences.
Sometimes you will have to provide data in order for your LIPS healthcare professional to be able to provide you with healthcare services, such as accurate information about your health and payment details.
All data that you provide must be true, complete and accurate. If you provide any inaccurate or false data will may record this and we may also report this to the appropriate authorities if we suspect fraud.
Website users
Technical Data includes data such as internet protocol (IP) address, your login data, browser type and version, cookies, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website and any communications we may send to you.
Usage Data includes information about how you use our website such as information about your visit to our website, including the full Uniform Resource Locators (URL) clickstream to and through, pages you viewed or searches you made, page response times, download errors, length of visit, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
Marketing and Communications Data includes your preferences in receiving marketing from us, selected third parties and your communication preferences.
When you use our website we may automatically collect and store information about your Technical Data and Usage Data for the purposes of research, analysis and to improve our services.
Technical Data is also collected from third party service providers, including analytics providers, advertising networks and search information providers.
Some of this information is collected using cookies and similar tracking technologies. If you want to find out more about the types of cookies we use, why we use them, and how you can control them, please see our cookies policy on our website.
Aggregated data
We may also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' Usage Data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our website to help improve the website and our service offering.
4. What rights do you have over your personal data?
Right of access: you have the right to obtain from us a copy of the data that we hold for you, and check that we are lawfully processing it.
Right to rectification: you can require us to correct errors in the data that we process for you if it is inaccurate, incomplete or out of date, though we may need to verify the accuracy of the new data you provide to us.
Right to portability: you can request that we transfer your data to another service provider if you initially provided consent for us to use the data or where we used the data to perform a contract with you.
Right to restrict or object to processing: in certain circumstances, you have the right to require that we restrict the processing of your data if you believe our processing impacts on your fundamental rights and freedoms. However, we may demonstrate that we have legitimate grounds to process your data not withstanding your rights and freedoms.
Right to be forgotten: you also have the right at any time to require that we delete the data that we hold for you, where it is no longer necessary for us to hold it. However, whilst we respect your right to be forgotten, we may still retain your data in accordance with applicable laws, and when we respond to your request we shall notify you of any specific legal reasons that we have to retain your data.
Right to stop receiving marketing information: you can ask us to stop sending you information about our services, but please note we shall continue to contact you in relation to any matters relating to your account, if you have one.
Right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Request restriction of processing your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:
If you want us to establish the data's accuracy;
Where our use of the data is unlawful but you do not want us to erase it;
Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Note that there are some exceptions to these rights set out in the data protection legislation, which may apply to requests made by you.
We reserve the right to charge an administrative fee if your request in relation to your rights is manifestly unfounded or excessive.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
5. How we lawfully process your data
We will only use your data where we have a lawful basis to do so (also known as an Article 6 condition). The lawful basis that we rely on are:
For Battersea patients, performance of our contract with you – including carrying out any preliminary checks needed before agreeing to provide you with services.
Compliance with legal requirements.
Legitimate interests. When we refer to legitimate interests we mean our legitimate business interests in the normal running of our business which do not materially impact your rights, freedom or interests. We do not use your personal data for activities where our interests are overridden by the impact on you.
There are special rules about how we can use Health Data. For Health Data, in addition to the lawful basis outlined above, we must also comply with an Article 9 condition. Below we have set out the conditions that we are relying upon under both these Articles in order to use your data.
Purpose | Type of data typically used | Article 6 Condition | Article 9 Condition |
To register you as a new customer | (a) Identity (b) Contact (c) Health | Article 6(1)(b) - performance of a contract with you (Battersea patients only) Article 6(1)(f) – necessary for legitimate interests (supporting clinicians who use LIPS services) | Article 9(2)(h) - healthcare and social care purposes |
Carry out identity and/ or soft credit checks | (a) Identity (b) Contact (c) Financial (d) Profile | Article 6(1)(b) - performance of a contract with you (Battersea patients only) Article 6(1)(f) – necessary for legitimate interests (supporting clinicians who use LIPS services) | Not applicable – no Health Data used |
To process and deliver services to you including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us or clinicians we support | (a) Identity (b) Contact (c) Health (d) Financial (e) Transaction (f) Marketing and Communications | Article 6(1)(b) - performance of a contract with you (Battersea patients only) Article 6(1)(f) – necessary for legitimate interests (supporting clinicians who use LIPS services; debt collection) | Article 9(2)(h) - healthcare and social care purposes |
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy (b) Dealing with your requests, complaints and queries | (a) Identity (b) Contact (c) Health (d) Profile (e) Marketing and Communications | Article 6(1)(b) - performance of a contract with you (Battersea patients only) Article 6(1)(c) - necessary to comply with a legal obligation Article 6(1)(f) – necessary for our legitimate interests (to keep our records updated and manage our/ your clinician’s relationship with you) | Article 9(2)(h) - healthcare and social care purposes |
To enable you to participate in marketing promotions such as competitions or complete a survey | (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications | Article 6(1)(b) - performance of a contract with you (Battersea patients only) Article 6(1)(f) – necessary for our legitimate interests (to study how customers use our/ our clinicians’ products/services, to develop them and grow business) | Not applicable – no Health Data used |
To administer and protect our business and our websites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data); to maintain and improve the quality of our services | (a) Identity (b) Contact (c) Health (d) Technical | Article 6(1)(c) - necessary to comply with a legal obligation Article 6(1)(f) - necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) | Article 9(2)(h) - healthcare and social care purposes |
To deliver relevant website content and online advertisements to you and measure or understand the effectiveness of the advertising we serve to you | (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical | Article 6(1)(f) - necessary for our legitimate interests (to study how customers use products/services, to develop them, to grow business and to inform marketing strategy) | Not applicable – no Health Data used |
To use data analytics to improve our website, products/services, customer relationships and experiences and to measure the effectiveness of our communications and marketing | (a) Technical (b) Usage | Article 6(1)(f) - necessary for our legitimate interests (to identify types of customers using our services, to keep our website updated and relevant, to develop business and to inform marketing strategy) | Not applicable – no Health Data used |
To send you relevant marketing communications and make personalised suggestions and recommendations to you about goods or services that may be of interest to you | (a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing and Communications | Article 6(1)(f) - necessary for our legitimate interests (to carry out direct marketing, develop products/services and grow business) | Not applicable – no Health Data used |
To carry out market research through your voluntary participation in surveys | (a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing and Communications | Article 6(1)(f) - necessary for our legitimate interests (to study how customers use products/services and to help us improve and develop products and services). | Not applicable – no Health Data used |
Co-operate with regulators, like the Care Quality Commission | (a) Identity (b) Contact (c) Health (d) Profile (e) Marketing and Communications | Article 6(1)(c) - compliance with a legal obligation Article 6(1)(f) - legitimate interests (we have a legitimate interests in working with our regulators) | Article 9(2)(g) - substantial public interest Article 9(2)(h) – healthcare and social care purposes |
Deal appropriately with any risk to public health | (a) Identity (b) Contact (c) Health (d) Profile (e) Marketing and Communications | Article 6(1)(c) - compliance with a legal obligation Article 6(1)(f) - legitimate interests (we have a legitimate interest in being able to respond appropriately) | Article 9(2)(i) – public health |
Comply with a legal obligation, like a court order requiring us to release information and anti-money laundering rules | (a) Identity (b) Contact (c) Health (d) Financial (e) Transaction (f) Profile (g) Technical (h) Usage (i) Marketing and Communications | Article 6(1)(c) - compliance with a legal obligation | Article 9(2)(f) - establishment, exercise or defence of legal claims Article 9(2)(g) - substantial public interest |
Deal with disputes and legal claims | (a) Identity (b) Contact (c) Health (d) Financial (e) Transaction (f) Profile (g) Technical (h) Usage (i) Marketing and Communications | Article 6(1)(f) - legitimate interests (we have a legitimate interest in being able to deal with disputes and legal claims) | Article 9(2)(f) - establishment, exercise or defence of legal claims |
To obtain advice from our professional advisers, such as accountants and auditors | (a) Identity (b) Contact (c) Health (d) Financial (e) Transaction (f) Profile (g) Technical (h) Usage (i) Marketing and Communications | Article 6(1)(f) - legitimate interests (we have a legitimate interest in being able to seek and obtain professional advice) | Article 9(2)(f) - establishment, exercise or defence of legal claims Article 9(2)(h) - healthcare and social care purposes |
In connection with, or during negotiations of, any merger, sale of assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or into another company. | (a) Identity (b) Contact (d) Financial (e) Transaction (f) Profile (g) Technical (h) Usage (i) Marketing and Communications | Article 6(1)(f) - legitimate interests (we have a legitimate interest in being able to participate in such negotiations/ transactions) | Not applicable – no Health Data used |
If we supply you with products and services this will be done in accordance with our Customer Terms and Conditions. We are not able to provide health-related service unless you provide us with relevant Health Data and keep that information complete and accurate.
6. Where we get your data from
There might be some instances where we receive data about you from other organisations or people such as credit reference agencies, the electoral register, and our verification partners – for purposes such as verifying your identity and confirming the validity of data relating to you.
We may also receive data about you from our partners such as:
other healthcare professionals involved in your care, for example your NHS GP
your insurance company
our payment services provider
our data analytics service providers, advertising networks and search information providers
our debt collection agency
7. Who we share your data with
There may be situations in which a third party will need to access or be given a copy of your personal data. Some examples have been included below:
Healthcare professionals who are Data Controllers in their own right (for example, in order to deliver your care)
Companies within the LIPS group, where this assists the delivery of services to you or a LIPS Healthcare Professional
Suppliers or collaborators (for example, in order to provide bespoke 3D prosthetics, or to support our IT infrastructure)
Regulators, authorities or government bodies (for example, in order to resolve a complaint that has been raised or to conduct professional body safety reviews)
Professional advisers, including external legal advisors, insurance companies and medical experts (for example, in order to resolve a legal claim or dispute, to provide pre and/or post procedure reviews)
Third parties for the purposes of debt collection
Third party payment processor companies. For the avoidance of doubt, LIPS Healthcare will not store any of your payment card details
Delivery companies for the purposes of transportation
Third parties for health, wellbeing & patient safety analysis
Third party service providers for the purposes of storage of information and confidential destruction of information.
Third party service providers for the purpose of administrative and back-office functions.
Where a third party Data Processor is used, we ensure that, in addition to their obligations under data protection laws, they operate under contractual restrictions which aim to safeguard the confidentiality and security of your information.
8. Where in the world your data is physically sitting
We may need to transfer your information to other LIPS Healthcare Group companies or service providers in countries outside the United Kingdom and European Economic Area (EEA). The EEA consists of countries in the European Union, Switzerland, Iceland, Liechtenstein and Norway: they are considered to have equivalent laws when it comes to data protection and privacy.
Transfers of data outside the UK and EEA may happen if our servers (i.e., where we store data) or our suppliers and service providers are based outside the UK and EEA, or if you use our services and products while visiting countries outside this area. For example, we currently carry out some administrative processing securely from our Cairo, Egypt location. In some cases processing of personal data may also be carried out in the United States of America.
Where we store or share personal data with a third party in a country outside of the UK or EEA, we will put appropriate safeguards in place to protect that data in accordance with the applicable data protection laws and the ICO’s guidance. These can range from a contract with that third party supplier that includes the ICO’s International Data Transfer Agreement through to technical measures to protect it while it gets there. If you would like further detail please contact dataprotection@lips.org.uk
We may also need to share your data with a third party in a country outside of the UK if you are a resident of another country and that third party is authorising or providing part of your care. Again, if you would like further detail please contact dataprotection@lips.org.uk
9. How long we keep your data
We only keep your data as long as it is required either by English Law, health regulatory best practice, codes of practice, or our own legitimate business needs in line with our corporate policies.
The length of retention varies per type of record. Some records are only kept short-term, and some kept more long-term if they relate to legal matters or long-term medical conditions. Below are the considerations we use to determine the appropriate retention period:
The purposes for which we process your personal data and whether we can achieve those purposes through other means
The applicable legal, regulatory, tax, accounting or other requirements
The amount, nature, and sensitivity of the personal data
The potential risk of harm from unauthorised use or disclosure of your personal data.
10. How we protect your data
Your data is safeguarded to the level of protection necessary for your data while it is in our management. All information collected is secured against unauthorised access, damage, loss or destruction; whether physical or electronic. Our ISMS (information security management system) is certified to ISO/IEC 27001:2013. Our UK business is also Cyber Essentials Plus certified. We maintain what we believe are appropriate security controls in place to protect personal data. Risk assessment, including assessing risks to the rights and freedoms of data subjects, is at the heart of our ISMS.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your data, we cannot guarantee the security of your data transmitted to our website or by us to your personal email address. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
11. How to Contact Us.
If you wish to exercise your data protection rights or have any questions or queries about how we handle your personal data, please contact the relevant privacy team (see section 1 for guidance):
London International Patient Services Limited
dataprotection@lips.org.uk,
+44 (0) 207 164 6114
LIPS Privacy Team, LIPS Healthcare, 5 Devonshire Place, London, W1G 6HL
LIPS Battersea Ltd
Our Data Protection Officer (DPO) is GRCI Law Limited, at dpoaas@grcilaw.com, Unit 3, Clive Court, Bartholemew’s Way, Cambridgeshire Business Park, Ely CB7 4EA.
For individuals who are based in the EU, we have appointed IT Governance Europe Limited to act as our EU representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any queries in relation to your EU rights or general privacy matters, please email our Representative at eurep@itgovernance.eu
Please ensure to include the relevant company name in any correspondence you send to our representatives.
12. How to complain
You have the right to complain to the Information Commissioner’s Office (www.ico.org.uk), who are responsible for monitoring compliance with UK data protection laws.
If you have a complaint about how we have used your personal data, we ask that you let us know before going to the ICO, so that we have the opportunity to put things right. You can make a complaint by contacting complaints@lips.org.uk
13. Updating this policy
We may update this policy from time to time. This Policy was last updated on September 2024. You may contact us if you wish to review any previous version