LIPS PRIVACY NOTICE

Your privacy is important to us. This Privacy Notice explains the manner in which LIPS Holdings Ltd (company no. 15181415) and its wholly-owned subsidiaries, London International Patient Services Ltd (Company no. 10111760) and LIPS Battersea Ltd (company no. 15262656) (“LIPS”, “we” and “us”) collects, uses, maintains, and shares information about visitors to our website located at


Expert Private Healthcare | London International Patient Services (lips.org.uk)

 

As a healthcare provider, we handle a wide range of information about you in order to support you and your needs.  This Privacy Notice provides details of the personal data we collect from you, what we do with it, how you might access it and who it might be shared with.

 

1. Who ‘we’ are

  • When we outline to you how we take care of your data you will notice we use the words ‘LIPS, ‘we’, ‘us’ or ‘our’. This means we are referring to London International Patient Services. We are a limited company registered in England and Wales.

  • We are, in almost all circumstances, what is called the ‘

Data Controller

’ of your personal data. We are responsible for deciding how we hold and use your data, for taking care of your data and ensuring that anyone we work with, who might need to access your data, also takes care of it and follows our rules. If there is ever a situation where another organisation or person is the Data Controller of your data, we will let you know.

 

2. What we do with your personal data

  • We process personal data only for the purpose for which it is collected. The purpose is dependent on whether you use only our website, or additionally, our services. If you use our services, you are required to register, and we collect your personal data. We use this personal data for the provision of the service or the performance of the contract. We may use your personal data for other similar purposes, including marketing and communications, but that will only occur in the case we have your consent or another legal justification for doing so.

 

3. What personal data do we collect?

  • The personal data we collect depends on whether you just visit our website or use our services. If you visit our website, you do not need to provide us with any personal data. However, your browser transmits some data automatically, such as the date and time of retrieval of one of our web pages, your browser type and settings, your operating system, the last web page you visited, the data transmitted and the access status, and your IP address.

  • If you use our services, personal data is required to fulfil the requirements of a contractual or service relationship, which may exist between you and our organisation.

 

We collect:

 

  • Financial Details

  • GP name and address

  • Health insurance information

  • Name

  • Patient Number

  • Telephone contact details

  • Confidential Correspondence

  • Digital Images

  • Email, Social Networks

  • Online Identifiers

  • Banking Details

  • Location Information

  • Photographs together with Identifiers

  • Medical reports – GDPR Article 9  - Processing of special categories of personal data

Medical and health data will be collected for the purpose of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services and as further permissible under Article 9 GDPR.  Medical and health data will be processed as necessary, with your explicit consent and or in keeping with regulatory requirements. 

4. How do we process your personal data?

  • We only collect the amount of personal data necessary to achieve the purpose for which it was collected. Therefore, we seek to minimise the personal data which is required for processing. We retain personal data only for as long as is described above, to respond to your requests, or longer if required by law. If we retain your personal data for historical or statistical purposes, we ensure that the personal data cannot be used further. While in our possession, together with your assistance, we try to maintain the accuracy of your personal data.

 

5. How can you access your personal data?

  • You have the right to request access to any of your personal data we may hold. If any of that information is incorrect, you may request that we correct it. If we are improperly using your information, you may request that we stop using it or even delete it completely.

This is known as a data subject access request whereby you can receive a copy of the personal data that we hold about you.  This right applies in all circumstances, however there might be some scenarios where we cannot provide you with some of the information requested (i.e. to protect the rights of others or due to legal privilege/confidentiality). If that is the case, we will explain this to you as part of our response to your request.

  • Where you have previously given your consent to process your personal data, you also have the right to request that we port or transfer your personal data to a different service provider or to yourself, if you so wish.

  • Where it may have been necessary to get your consent to use your personal data, at any moment, you have the right to withdraw that consent. If you withdraw your consent, we will cease using your personal data without affecting the lawfulness of processing based on consent before your withdrawal.

 

 6. How we lawfully process your data

  • We use your data for a range of different purposes. To do so lawfully we need to have a legal basis for doing so.

  • We normally process your personal data if it is:

  • Necessary to provide you with your care - to enable us to carry out our obligations to you, arising from any contract entered between us. This may include the provision of services or treatments to you and related matters, such as billing, accounting and audit, credit or other payment card verification and anti-fraud screening

  • In our, or a third party's legitimate interests to do so (e.g. in helping with medical safety, quality assurance and medical research, or managing our business operations). We will be utilising legitimate interests as our lawful basis under Article 6 UK GDPR in limited circumstances where the processing of your data does not impede your rights and freedoms. For more information, please refer to the ICO’s guidance on legitimate interests

  • Required by any applicable law (i.e. to meet certain legal obligations placed on us by English law as a healthcare provider

  • With your explicit consent for example: direct consumer marketing communications, participating in a clinical research project or clinical trial and/or engaging with third parties.

  • As part of your treatment, we are required to get your consent to the medical treatment itself. However, this consent shouldn’t be mistaken for consent to process personal data. As a private healthcare provider, we process your personal data in order to comply with our obligations under our contract with you. Generally, we will only ask for your consent to data processing if there are no other legal grounds to process. In these circumstances, we will always aim to be clear and transparent about why we need your consent and what we are asking it for. Where we are relying on consent to process personal data you have the right to withdraw your consent at any time by contacting us using the details below and we will stop the processing for which consent was obtained.

  • To process special category data (i.e. personal data that needs more protection because it is sensitive), we rely on additional legal grounds and generally, they are as follows:

  • Necessary for the purposes of medical diagnosis, to provide health or social care treatment, or to manage health or social care systems and services. This may also include monitoring whether the quality of our services or treatment is meeting expectations

  • With your explicit consent

  • It is necessary to establish, make or defend legal claims or court action

  • It is necessary so that we can comply with employment laws

  • It is necessary for a public interest purpose in line with any laws that are applicable. This should assist in protecting the public against dishonesty, malpractice or other seriously improper behaviour for example, investigating complaints, clinical concerns, regulatory breaches or investigations e.g. the Care Quality Commission (‘CQC’), the General Medical Council (‘GMC’) or the Information’s Commissioner Office (‘ICO’).

 

7. Where we get your data from

  • We very rarely obtain information about you without your prior knowledge. We will collect your personal data either from you directly, from your Consultant, or from a referring body.

  • There might be some instances where we receive data about you from other organisations or people. For example, if we receive a piece of information from your General Practitioner (‘GP’), embassy or insurance company, you should know about it prior to us receiving the data or we may confirm we have received it as part of your interaction with your care team.

 

8. Who we share your data with

  • Where possible, we avoid sharing your data with anyone outside of LIPS. There will be, however, situations where this is not possible, and a third party will need to access or be given a copy of your personal data. Some examples have been included below:

  • Consultants who are Data Controllers in their own right (for example, in order to deliver your care) Suppliers or collaborators (for example, in order to provide bespoke 3D prosthetics, or to support our IT infrastructure)

  • Regulators, authorities or government bodies (for example, in order to resolve a complaint that has been raised or to conduct professional body safety reviews)

  • Professional advisers, including external legal advisors, insurance companies and medical experts (for example, in order to resolve a legal claim or dispute, to provide pre and/or post procedure reviews)

  • Third parties for the purposes of debt collection

  • Third party payment processor companies. For the avoidance of doubt, LIPS will not store any of your payment card details

  • Delivery companies for the purposes of transportation

  • Third parties for health, wellbeing & patient safety analysis

  • Third party service providers for the purposes of storage of information and confidential destruction.

  • Where a third-party Data Processor is used, we ensure that, in addition to their obligations under Data Protection Laws, they operate under contractual restrictions which aim to safeguard the confidentiality and security of your information.

 

9. Where in the world your data is physically sitting

  • We use systems, technology and/or support vendors who may store or have access to physical or cloud storage which resides both in the UK and abroad. This includes countries both within the European Economic Area (‘EEA’) and, in limited circumstances, those further afield, for example the United States of America.

  • Where we store or share personal data with a third party in a country outside of the UK or EEA, we will put appropriate safeguards in place to protect that data in accordance with the applicable Data Protection Laws and the ICO’s guidance. These range from a contract with that third-party supplier through to technical measures to protect it while it gets there.

  • We may also need to share your data with a third party in a country outside of the UK if you are a resident of another country and that third party is authorising or providing part of your care.

 

10. How long we keep your data

  • We only keep your data as long as it is required either by English Law, health regulatory best practice, codes of practice, or our own legitimate business needs in line with our corporate policies.

  • The full range of retentions varies per record, some are only kept short-term, and some kept more long-term if they relate to legal matters or long-term medical conditions. Below are the considerations we use to determine the appropriate retention period:

  • The purposes for which we process your personal data and whether we can achieve those purposes through other means

  • The applicable legal, regulatory, tax, accounting or other requirements

  • The amount, nature, and sensitivity of the personal data

  • The potential risk of harm from unauthorised use or disclosure of your personal data. 

 

11. How we protect your data

Your data is safeguarded to the level of protection necessary for your data while it is in our management.  All information collected is secured against unauthorised access, damage, loss or destruction; whether physical or electronic.  Our ISMS (information security management system) is certified to ISO/IEC 27001:2013. Our UK business is also Cyber Essentials Plus certified. We maintain what we believe are appropriate security controls in place to protect personal data. Risk assessment, including assessing risks to the rights and freedoms of data subjects, is at the heart of our ISMS.

 

Your Rights Under the UK & EU GDPR (“GDPR”)

 

You have certain rights in relation to how your personal data is processed, including:

 

·   The right to be informed about processing of your personal data. #

·   The right to have any inaccuracies in your personal data corrected.

·   The right to object to processing of your personal data.

·   The right to restrict certain processing of your personal data.

·   The right to have your personal data erased.

·   The right to request access to your personal data and information (Subject Access Request).

·   The right to move, copy or transfer your personal data.

·   Rights in relation to automated decision-making including profiling.

 

 

Compliance

LIPS uses Meddbase developed by Medical Management Systems Limited (MMS) to help maintain GDPR compliance and protect personal information. Meddbase is a web application designed for clinical management and is used to run our organisation and manage our patient records (practice management software).

 

Information We Collect

We may obtain personal information about our patients including: Name, Date of birth, gender and nationality, Postal address, email address and telephone numbers, Next of kin contact details, GP details, Medical records, including referral details, and information provided by third parties and other healthcare professionals, Details of your condition, treatments, investigations and any details required by a healthcare professional involved in your care, Information about medical or health conditions of your family members. Financial information e.g., payment card details.

 

1. Physical

MMS stores client data in secure geographically dispersed UK Data Centres. The data centres have multiple physical controls including Biometrics and dedicated key passes that only allow access to authorised parts of the datacentre.

 

2. Technical

Access to the Meddbase portal is over a secure link. There are multiple layers of intrusion protection, intrusion detection and firewalls between the internet, the application servers and the databases. The application and database servers have no access to the internet. All access to the application is by users who have been authorised by LIPS. We also have enabled two-factor authentication to add further strength to access management.

 

3. Procedural

LIPS internal policies only allow specified, need-to-know employees access to the application. All access is monitored, and any unusual access is alerted to the MMS Security Team. Unusual access by client users is also monitored and unusual events are also alerted to the MMS Security Team who will liaise with LIPS to investigate that access. MMS is NHS IGSoC and ISO27001 certified and HIPAA compliant and follows the strict information handling requirements of these standards.

 

Data Controllers and Data Processors

Within the meaning of the GDPR, MMS acts as a Data Processor on behalf of LIPS who are defined as Data Controllers with respect to personal data stored on the Meddbase application. MMS cannot do any processing of personal data without the permission of LIPS. This permission is governed contractually between LIPS and MMS.

 

Subject Access Requests

Data subjects have similar rights under GDPR to the current law to access copies of information that data controllers hold about them through a subject access request (SAR). MMS makes it easy for LIPS to handle SARs through the Meddbase application. Using the application LIPS can search for the relevant information that the requestor is looking for an export this in a suitable format to provide to the data subject.

 

Where MMS receives a SAR with respect to personal data held within the Meddbase application, MMS will advise them to contact LIPS as the data controller using the application. MMS will not take part to initiate in requests for personal data for a SAR unless in accordance with specific instructions from LIPS.

 

The Right of Erasure

The GDPR gives data subjects’ new rights to have data about them erased in certain limited circumstances. This is easily managed by LIPS within the Meddbase application. Once permanently deleted, such data cannot be restored. The Meddbase application provides warnings when data is deleted in this way but the decisions as to when and whether to delete data is one for our clients to take as a data controller.

 

MMS will not delete data other than in accordance with the specific instructions from LIPS. Please note that LIPS may be required to retain certain data as required law.

 

The Right to Rectification

The GDPR allows data subjects to have their data corrected when it is wrong. This is easily managed by LIPS within the Meddbase application as data controllers. MMS will not modify data other than in accordance with the specific instructions of our client.

 

Third Party Transfers

MMS does not use any third parties to process any of the personal data stored within the Meddbase application and, unless otherwise required by law, will not transfer any of this personal data to any third party other than in accordance with the specific instructions of our client. LIPS may utilise staff outside of the UK or EU/EEA to perform administrative processing of data within our group systems.

 

International Transfers

We may need to transfer your information to other LIPS Group companies or service providers in countries outside the United Kingdom and European Economic Area (EEA). The EEA consists of countries in the European Union, Switzerland, Iceland, Liechtenstein and Norway: they are considered to have equivalent laws when it comes to data protection and privacy. This kind of data transfer may happen if our servers (i.e., where we store data) or our suppliers and service providers are based outside the EEA, or if you use our services and products while visiting countries outside this area. We currently utilise some administrative processing which is conducted securely from our Cairo, Egypt location.

 

If LIPS must send your information outside of the UK or EU/EEA, we ensure all information is properly safeguarded as required by law. We will also ensure there is a binding legal agreement in place which establishes the appropriate supplemental measures, Standard Contractual Clauses (SCCs) and is associated with any relevant risk management exercises.

 

How to Contact Us. If you wish to exercise your rights under the GDPR, please contact our privacy team at dataprotection@lips.org.uk, +44 (0) 207 164 6114 or by post LIPS Privacy Team, London International Patient Services, 5 Devonshire Place, London, W1G 6HL.

 

You have the right to complain to the Information Commissioner’s Office (www.ico.org.uk), who are responsible for monitoring compliance with GDPR and data protection laws.

 

How you can find out more information

If you have any questions or queries about how we handle your personal data at LIPS, please get in touch at dataprotection@lips.org.uk

 

London International Patient Services (LIPS) takes your privacy and information security seriously. The UK and EU General Data Protection Regulation (GDPR) came into force on the 25th of May 2018. The GDPR changes how personal data is handled and increases or reinforces the rights of data subjects.

 

We have appointed IT Governance Europe Limited to act as our EU representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any queries in relation to your rights or general privacy matters, please email our Representative at eurep@itgovernance.eu  Our Data Protection Officer (DPO) is GRCI Law Limited, at dpoaas@grcilaw.com, Unit 3, Clive Court, Bartholemew’s Way, Cambridgeshire Business Park, Ely CB7 4EA.  Please ensure to include our company name in any correspondence you send to our representatives.

background-mobile
logo

This website is provided as a service to help

inform current and future patients of our leading

consultant panel and the latest treatments

available.

Registered Office Address

London International Patient Services Limited.

Solar House,

282 Chase Road, London,

United Kingdom, N14 6NZ

Company number: 10111760.

Registered in England and Wales.

LIPS is the UK’s largest multispecialty

private group of leading NHS teaching hospital

consultants.

Based in London, United Kingdom

Mon – Fri: 8 AM – 7 PM

Sat: 8 AM – 4 PM

Sun: Closed