BOOK A SCAN
BOOK A SCAN
01223 344366
MENU

Privacy Policy

This privacy notice page lets you know how we collect and use your personal information by using our website, www.momentmhealth.co.uk, and employing our services at Momentm Health Limited

We, Momentm Health Limited, are the data controller. We are responsible for the personal information which we collect from you via our website. We will refer to our company as ‘we’, ‘us’ and ‘our’ throughout this document.

Our Data Protection Officer (DPO) is Rhys Slough. They are the first person you can talk to about any of your data that we as a company hold.

You can contact us at any time. Our full contact details are below:

Momentm Health Limited,
Board of Directors

info@momentmhealth.co.uk

Salisbury House, Station Road, Cambridge, CB1 2LA

01223 344366

We are obliged to keep the details we hold about you accurate. If anything changes in your circumstances, such as but not limited to a change in address or phone number, please contact us so we can correct your data.

What we collect

It’s important that you understand all the ways we collect and use your personal information. Personal data is anything that could be used to identify you.

Contact details

We need to contact you on a regular basis during the entirety of our relationship. Our rules for holding this data depends on decisions made by you on whether to undergo treatment with us.

We store all contact details in our practice management / Radiology information software – Biotronics 3D. This helps us manage our practice. As such, our legal basis for using your data this way is legitimate interest. It would be impossible to manage our practice without some form of practice management software.

We also store some contact details in our customer-relations management (CRM) software. We use this to ensure we follow up with you when we need to. As such, our legal basis for using your data this way is in our legitimate interests. We must ensure that we follow up with all customers thoroughly. We also use a CRM to ensure that our communications with you are highly relevant and timely.

If you do choose to become a patient with us, your contact details become part of your healthcare records, after which the legal bases and our obligations for storing them changes. Please read more below.

Health data

We must store sensitive healthcare data to treat you as a patient. Your treatment may depend on sharing some of this data with a laboratory or an auditor. We are legally obliged to hold this data for 10 years. Depending on the complexity of your treatment, we may choose to retain this data for a longer period upon review after the 10 year period. Otherwise, it is destroyed. As such, our legal bases for holding this data are, at first, to fulfil a contract to you and then, afterwards, legal obligation.

Technical data

We log your IP address along with the pages you visit, information about your web browser (your User Agent e.g. Google Chrome, Safari, Internet Explorer) and whether you faced an error or not. We use this data to diagnose errors and investigate malicious attacks. Our web servers automatically collect this data and is stored on the same server. This data is never shared or used for any purposes beyond diagnostics and investigation. This data is destroyed at six monthly intervals. As such, our legal basis for holding this data is legitimate interest.

Financial data

If you are a customer, we must keep track of your basic financial information (transactions made with us) by law for six years from the day you no longer use our services. As such, our legal basis for storing this data is a legal obligation.

Basic financial information includes:

Usage data

We collect website usage data using Google Analytics and Facebook. We use this information to improve our website’s user experience, identify opportunities for business growth and improve and monitor on-going marketing campaigns. This data also allows us to run marketing campaigns that are highly relevant to the individual who can then make a better informed decision whether our services are right for them or not. We retain this data for a maximum of 38 months so we have enough data to make meaningful statistical analyses. As such, our legal basis for collecting, storing and using this data is within our legitimate interests. You may use cookie blocking software to disable this tracking to no detriment to this website’s function.

Marketing data

We have a legal obligation store your preference to receive marketing from us. If, by request or by our own data handling rules and obligations, we erase your data, we will lose your marketing preferences. If you contact us again, you will need to state your marketing preferences again.

We may send you information about special offers, competitions and other deals that are strictly relevant to you as a customer. The period of time in which we do this depends on the treatment you express interest in. At a maximum, this is around 12 months. We will stop and erase your data if you do not respond to our marketing emails. Our legal basis for this is a legitimate interest, our data shows that it takes between 10-15 months for 30% of our enquirers to make a decision on a provider for their treatment. We want to provide our potential customers with the relevant information over that period to make an informed decision. This also enables us to grow our business, examine how our customers use our services and improve marketing activity. We provide a clear means by which you can opt out of such communications and update your preferences. You may also contact us directly to update your preferences.

We will never sell or provide your personal data to third-parties for marketing purposes. We will only ever market our own business to you, depending on your preferences.

We may use a combination of your contact details, usage data and marketing data to display relevant, targeted content to you from our website or through advertising networks i.e Google Ads and Facebook Ads. We use advertising to grow our practice, grow our customer base and also ensure that you only see adverts for products that are relevant to you. As such, our legal basis for doing so is legitimate interest. You may contact us to stop us from using any of your data this way at any time.

Sensitive data

As stated above, we may hold sensitive data about you in the form of healthcare records. If we don’t collect this data, we will be unable to provide you healthcare services. We will never process this data outside of our duties as a healthcare provider. If, in the event of one time processing, we will contact you and request explicit consent. This would be an exception rather than a norm. Our legal basis, as stated previously, is, at first, to allow us to fulfil a contract with you and, after treatment is complete, any legal obligations we may have on the minimum length of time for holding your sensitive data.

We take, at a minimum, in person in a clinical setting:

For more information, please email us on info@momentmhealth.co.uk.

We do not use your information to make automated decisions or profile you. We may use your data without your knowledge or consent where this is allowed or necessary by law.

Marketing

As stated previously, we may send you relevant marketing communications on the basis of growing our practice, which is within our legitimate interest. Where we wish to send you general and non-specific marketing communications, we will always do this on the basis of your consent. You are within your rights to request that we stop sending you marketing communications entirely. You can do this by contacting us directly.

The Privacy and Electronic Communications Regulations (PECR) permits us to communicate with you for marketing purposes if:

  1. You are a patient or expressed interest in becoming a patient

  2. You have explicitly opted-in to marketing communications from us and:

    1. You haven’t since withdrawn that consent

    2. Your consent is still deemed relevant e.g you have been in contact within a certain period of time.

After 12 months of no contact, we will deem your consent ‘expired’. Similarly, we would deem your expression of interest no longer relevant because we would deem that your interest has ‘faded’. Both have the same effect as explicitly withdrawing consent – that is, after which, we will erase any of your data collected.

As stated, you may request that we stop sending you marketing communications outright at any time. [link] Use the contact details at the top of this document to contact us if you wish to request this.

We will never send you unsolicited (non-relevant) marketing emails or texts. All marketing communications are are delivered after, and only after, you, the individual, initiates a prospective customer relationship with our practice.

Who processes your data

To perform all business functions, we may need to share some of your personal data to third-party data processors:

International processors

Some of our processing requires transfer of your personal information outside of the European Economic Area (EEA).

Companies within countries that fall outside of the EEA are not obliged to implement the protections of the DPA and GDPR. As such, EU law has banned the transfer of personal information to companies outside of the EEA where those companies do not comply with new data privacy regulations.

As such, all of our data processors that are outside of the EEA have agreed, via a Data Processor Agreement, to comply with the protections of the GDPR, reside in a country that European lawmakers have determined provide strong enough protections of personal data or we use, in the case of a processor in the United States, processors that fall under the EU-US Privacy Shield, guaranteeing the same level of protections of personal data as the GDPR.

We will not use a processor that does not meet this criteria as part of our ongoing activities. If, in the event of one time processing, we will seek your explicit consent. That consent will only be relevant for that particular request.

Data Security

Our systems have been developed using Privacy by Design. Our business systems, as such, as built to to protect your personal data from accidental loss, access, processing and mutation without the authority to do so.

Only those that have a need for a particular piece of your information have access to that information. Your personal data is only processed to our explicit instructions. All processing activity is kept confidential.

We have also proactively built business systems to handle any kind of potential or suspected breach of personal data that we are responsible for. If it is found your personal data has been breached, we will notify you and the appropriate regulator within three days. We will also inform you of the steps we had taken to prevent that and steps we have taken to recover/further protect your personal data.

Holding Your Data

As stated previously, we will hold your personal data for as long as we need it and no longer. Where feasible, we have stated how long we expect to hold the various categories of your personal data and the legal bases for doing so. Where we have been unable to provide a specific time period, we have given a global maximum timeframe for that category of data.

We use evidence from our own business activities, existing law and obligations to determine the appropriate length of time to hold your data. A major factor include how sensitive a piece of personal data is. That is, how much potential harm this personal information would cause if breached.

Some processors anonymise personal data. Where we can use pseudo-anonymisation, we will to reduce or eliminate the risk of privacy breaches.

Direct Care & Onward Referrals

We share your personal data with other health and social care providers who provide ‘direct care’ to you and others, such as administrative staff, who support this care. We will only share your personal data with such parties where we are satisfied that they will handle your data confidentially and in compliance with data protection legislation (UK GDPR & the UK Data Protection Act 2018).

‘Direct care’ refers in this context to any activities that support the diagnosis, care or treatment of your condition. The primary instances in which we share your personal data for direct care purposes are:

(1) where we share your personal data with Momentm Health Limited so that we may perform the imaging procedures that you have ordered;

(2) where you submit an online request on momentmhealth.co.uk to whereby we may onwardly refer you to a third-party provider or specialist for further advice, diagnostics or treatment, in which case we may share your personal data with any third-party provider or specialist that we identify for these purposes;

Examples of other persons or bodies with whom we may share your personal data for direct care purposes include:

-Your NHS GP

-Onward referral specialists

-Physiotherapists

-Therapists

-Pharmacists

-Hospitals

-Accident and emergency services

-Testing service providers

-Other health and care bodies

We will only share your personal data with such bodies or persons where can do so in compliance with both the common law duty of confidentially (the CLDC) and applicable UK data protection legislation.

For the purposes of the common law duty of confidentiality, we will share your personal data for the purposes of supporting your direct care on the basis of your “implied consent.” This means that we will only share your data with third parties for these purposes where the surrounding circumstances mean that you would reasonably expect us to share your data with these parties i.e. it would not be a ‘surprise’ to you that we’ve shared your data with these parties.

In the event that we need to share your data with a provider or specialist who we suspect you would be surprised to learn has access to your data, we will ask for your express consent before sharing any information with them. Please note that this will not apply to any disclosure of your data to a third-party provider or specialist that we make pursuant to your request for an onward referral on uk.scan.com or otherwise. In such instances, we will deem that we have your implied consent to share your basic personal data (name, contact details) with such third-parties, provided that we will not share any special category data (i.e. your medical data, scan results, diagnoses etc) as part of the onward referral without your express consent under both the CLDC and Article 9(2)(a) UK GDPR.

In addition to requiring your ‘implied consent’ under the CLDC, we will only share your data for direct care purposes (including onward referrals) where we are have a lawful basis to do so under UK GDPR.

In this regard, we will share personal data such as your name, contact details, NHS number (or other unique identifier) and appointment date & time with third parties for direct care purposes on the legal basis of Article 6(1)(b) whereby we may process your data for the purposes of performing our contract with you. We may also rely on Article 6(1)(d) (protecting your vital interests) or 6((1)f) (exercising our legitimate interest in providing you with healthcare services).

Where any of the personal data we wish to share for direct care purposes is ‘special category data’- data that reveals particularly sensitive information about things such as your physical or mental health, genetic or biometric make-up or racial or ethnic origin- we will only share your data where we have legal bases to do so under both Article 6(1) and Article 9(2) UK GDPR.

In particular, we will share your special category data for direct care purposes where, in accordance with Article 9(2)(a) UK GDPR we have your express consent to make the transfer in question. This is without prejudice to our right to rely on other legal bases under Article 9(2) from time to time, including where processing is needed to protect your vital interests, for reasons of public interest in the area of health or for preventive or occupational health reasons.

Please note that where you place a booking on momentmhealth.co.uk

You may object to any or all of your data being shared by info@momentmhealth.co.uk with such direct care providers by emailing info@momentmhealth.co.uk. If you object to such data being shared, we will not disclose it unless it is justified in the public interest or we deem that it is for your overall benefit in circumstances where you lack capacity to make such a decision.

Processing your Medical Images & Radiologist Report

We collect copies of the medical images and radiologist report produced in connection with your booking from the third-party scan provider that services your appointment if it is not provided by us directly.

These purposes include:

To upload a copy of your medical images and radiologist report on a secure, cloud imaging platform operated by the third-party service party Biotronics 3D LTD, so that you can remotely access and view a copy of your images and report online (the “Patient Portal”)

To process a de-identified (i.e. anonymised) copy of your medical images that we may later share with certain third-parties with whom we have we a suitable data sharing agreement in place for purposes including teaching, training and/or research purposes, service delivery planning, and improving healthcare related products and services. Examples of the categories of third-party that we may share such de-identified image datasets with include (without limitation and for illustrative purposes): Public Health England, NHS Trusts, universities and public research institutes, data aggregators and brokers, health insurers and underwriters and digital diagnostics companies.

The scan provider who services your appointments shares your medical images and reporting radiologist report with us in accordance with the legal requirements imposed on them both under the common law duty of confidentiality (“CLDC”) and UK data protection laws.

For the purposes of the CLDC, they share your images and radiologist report with us on the basis of your “implied consent” so that we can support your care by making your results remotely available to you online as soon as they are made available. Your “implied consent” is given where the surrounding circumstances mean that you would reasonably expect these scan providers to share your images and results with us i.e. it would not be a ‘surprise’ to you that they’ve shared this data with us.

In the present context, you are informed as part of the booking process on momentmhealth.co.uk that your images and report will be shared with us by the relevant scan provider so that we can upload them on to the Patient Portal for you to view. On this basis, it would not be a surprise to you that the scan providers are sharing this data with us for direct care purposes, with the result that your implied consent is therefore established.

In addition to requiring your ‘implied consent’ under the CLDC, scan providers will only share your scan images and radiologist report with us where they have a lawful basis to do so under UK GDPR.

In this regard, as the information shared as part of your medical imaging and radiologist report is a particularly sensitive form of data called ‘special category data’- medical images and radiologist reports can reveal information about your health, genetic or biometric make-up or racial or ethnic origin- scan providers will only share your data with us where they have lawful basis to do so under both Article 6(1) and Article 9(2) UK GDPR.

In respect of Article 6 UK GDPR, our scan providers rely on Article 6(1)(b) whereby they may share your images and report with us for the purposes of performing their contract with you, under whose terms they have agreed to share your results with you via our cloud-based Remote Viewing Service. They may also rely on Article 6(1)(d) (protecting your vital interests) or 6((1)f) (exercising their legitimate interest in providing you with healthcare services).

In respect of Article 9 UK GDPR, scan providers rely on Article 9(2)(a) UK GDPR whereby they share your images and report with us on the basis of your express consent to this transfer. We collect this consent on their behalf as part of our check-out process on momentmhealth.co.uk where we ask you to indicate your consent to scan providers sharing your images with us.

This is without prejudice to scan providers’ right to rely on other legal bases under Article 9(2) from time to time, including where processing is needed to protect your vital interests, for reasons of public interest in the area of health or for preventive or occupational health reasons.

To the extent that we share copies of your medical images and radiologist report with third parties, and the other categories of third parties listed above, we only do so once these images and reports have been fully “de-identified”.

“De-identified” here means all elements in the images and report that could be used to directly or indirect identify you have been removed with the result that there is no reasonable prospect that you could be identified from the resulting images and reports (even when advanced techniques such as machine learning, surface rendering and algorithmic re-identification techniques are applied).

To allow for this level of de-identification, Momentm Health Limited requires that each diagnostic imaging examination be de-identified using an approved and regulated DICOM tag, pixel and HL7 report anonymisation software before sharing them with third-parties.

As data protection legislation applies only to information that identifies or could be used to identify you, the de-identified scan images and reports that we share with third parties are not subject to UK GDPR.

Your Rights

Your privacy rights, that existed under the DPA, have been strengthened and amended under the GDPR. You have the right to, in relation to your data:

ICO explains your rights in more detail here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

You can contact us using the details at the beginning of this document to exercise any of your rights at any time.

Exercising your rights is free of charge. We can, however, refuse or charge for any requests that are deemed excessive, repetitive and/or unreasonable.

We will need to verify your identity to comply with any request(s) to exercise your rights. We will need some personal information to do so, strictly for the purposes of identity verification. Otherwise, this would leave your personal information vulnerable – something the GDPR aims to resolve. Unless a proxy is stated explicitly in a form that can be used as evidence, we will only ever comply with requests for the excision of rights with regards to your personal data by you only.

All requests should be resolved within one month. This, however, may take longer for requests that require a more complex resolution. We will inform you of any delays that may be required, along with justification.

You have the right to complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we process your personal data. ICO is a body that supervises and enforces privacy laws in the UK. Please visit their website at www.ico.org.uk for more information. We do request that you contact us first with any concerns. We recommend contacting ICO if you are still unsatisfied after attempting to resolve any issues with us directly.

External Hyperlinks

On our website we may link to other websites that provide more information on a specific topic discussed on this website. By clicking any of those links, the contents of this privacy policy does not apply to your data processing on the websites that we link to. You must refer to the privacy policy on those websites which are out of our control. We will endeavour to link to reputable, well-maintained websites.

Cookie Policy

Some parts of our website may not function correctly without cookies.