Privacy Policy

Our commitment to protecting your personal information

Everlight Radiology Limited ACN 120 630 784 (‘Everlight Radiology’‘us’ or ‘we’) is committed to protecting your personal privacy and complying with our obligations under relevant privacy legislation, as set out in the Privacy Act 1988 (Cth) and embodied in the Australian Privacy Principlesunder that legislation (and to the extent they apply, in the other jurisdictions in which we operate).

This Privacy Policy sets our commitment to protecting your personal information. It outlines how we collect, use, hold and disclose personal information, and how you can contact us if you have any concerns, questions or complaints about our management of your personal information, or if you want to access it.

We may update this Privacy Policy from time to time so please periodically check and review the policy for changes. You can access the current version of the Privacy Policy at the following webpage on our Website: https://www.everlightradiology.com/au/privacy-policy/.

Should you require a copy of the Privacy Policy in another form please contact us via the contact details set out in section 16 at the end of this policy to request a copy.

Personal Information + Sensitive Information

A reference to “personal information” means any information or opinion about you from which your identity is apparent or can reasonably be ascertained, from the information or opinion regardless of whether the information or opinion is:

  • true or not; or
  • recorded in a material form or not.

Personal information can also include sensitive information. “Sensitive information” means information or an opinion about matters such as your racial or ethnic origin, political persuasion, memberships in trade or professional associations or trade unions, sexual preferences, criminal record, or your health information.

Application of this Policy

We collect a variety of information from visitors to our Website, some of which can be confidential. This document explains the types of information we collect and what we do with that information (among other things).

This policy applies to personal information we receive or collect from or about you. This may occur when you:

  • visit or use the Everlight Radiology Website or any related software or applications (including any mobile applications);
  • request or use any of our services;
  • make an enquiry or register your interest with Everlight Radiology;
  • become or remain a client of Everlight Radiology;
  • contact and interact with us independently of the Website, such as by email, phone or in person;
  • apply for a job with us or express interest in employment or providing services to us;
  • make a payment of any tax invoices we issue; or
  • provide your personal information to us in any other way.

When you provide Everlight Radiology with personal information, you consent to Everlight Radiology using, handling and processing your personal information for the purposes and in the ways outlined in this policy (see sections 5 and 6 below) or such other purposes as we communicate to you from time to time.

You do not have to provide us with your personal information, but if you do not provide us with the personal information that we need, we may not be able to provide our services or assistance to you or on your behalf and you may not be able to enjoy the full benefits of our Website or our services.

What kinds of information do we collect?

The types of information we keep on record will depend on what activities you are engaging in or the type of product or service used or requested by you.

We only collect personal information that is necessary to assist us in providing our services. The type of personal information commonly collected for this purpose includes:

  • identification and contact information (e.g. name, age, date of birth, address, telephone number, email address etc.);
  • employer details;
  • country of residence;
  • your IP address for your interaction with various parts of our Everlight Radiology Website. Your IP address is the identifier for your computer when you are using the internet; and

We may also collect personal information you upload on the Everlight Radiology Website, e.g. during your use of the Website or to apply for an employment or contracting opportunity. You consent to Everlight Radiology posting and using this personal information for the purposes of our functions and activities.

In certain circumstances, we may also be required or permitted by law, court or tribunal order to collect certain personal information about you.

We will advise you in accordance with relevant privacy legislation when we collect your personal information and for what purpose.

We only collect sensitive information about you with your consent and if it is necessary for, or directly related to, our functions or activities, except if we are otherwise required or permitted by law to collect, use or disclose it.

We may also collect some statistical information about visitors to the Everlight Radiology Website (for example, the number of visitors, pages viewed, your type of browser and geographic location, types of transactions conducted, time online and documents downloaded, how you came to the site, and information that will help us trouble-shoot problems, analyse our resources and improve our services). Some of this statistical information is collected by using cookies, but none of the statistical information we collect allows us to identify a visitor. We use this information to evaluate our website performance and continually improve our services.

How we collect your Personal Information

We will collect personal information directly from you unless:

  • it is not reasonable or practicable to do so;
  • you consent to us collecting it from other sources; or
  • collection is otherwise permitted under relevant privacy legislation.

If we receive your personal information without requesting or soliciting it (‘unsolicited personal information’), we will (within a reasonable period after receiving it) determine whether or not we could have collected that personal information if we had sought it from you directly. If we could not have collected the personal information, and it is not contained in a Commonwealth record, then we will (as soon as practicable) destroy the information or ensure that it is de-identified provided it is lawful and reasonable to do so.

You must not provide us with the personal information about another person unless you have first obtained that person’s prior consent to do so and you have told them their personal information will be handled in accordance with this Privacy Policy (including where they can find it).

Purposes of collecting and using your Personal Information

We collect your personal information so that we can provide you with the products and services you are seeking from us. We may use your personal information in the following ways:

  • communicating with you, including by email, mail or telephone;
  • responding to your requests or queries;
  • operating and improving Everlight Radiology’s Website, content, offers and services;
  • sending you news and information about Everlight Radiology and our products, services or promotional communications, including newsletters, surveys and information about security updates, or information that is related to you as a customer or service provider of Everlight Radiology;
  • occasionally sending you marketing, advertising or promotional material about our products and services (or the products and services of our partners) that we think may be of interest to you;
  • providing you with more effective customer service;
  • enabling us to conduct customer research;
  • to compile data and conduct analysis of Everlight Radiology member/user statistics;
  • performing research and analysis aimed at improving our products, services and technologies;
  • establishing, maintaining and administering your account and customise the service we provide to you;
  • verifying your identity, profiles and products, checking your credentials;
  • monitoring and reporting as permitted or under any applicable laws;
  • investigating any complaints about or made by you, or if we have reason to suspect that you are in breach of any of our Terms of Use or that you are or have been otherwise engaged in any unlawful activity;
  • to communicate with regulators or government departments in respect of Everlight Radiology’s functions and activities;
  • to assess a job applicant and to allow us to carry out any monitoring activities which may be required of us under applicable law as an employer;
  • ensuring our internal business operations are running smoothly, which may include fulfilling legal requirements and conducting confidential systems maintenance and testing;
  • quality assurance and training purposes;
  • any other uses identified at the time of collecting your personal information;
  • using personal information as otherwise required or permitted by any law (including the Privacy Act 1988 (Cth) and the Spam Act 2003 (Cth)).

Personal information that we collect is not traded, sold, leased or rented. You consent to us using and disclosing your personal information in the manners that could reasonably be contemplated by this Privacy Policy, our Website Terms + Conditions or by the relevant activities you are engaged in when providing us with your personal information (e.g. as a website user, job candidate, service provider or customer).

Disclosure of your Personal Information

Any personal information provided to us may be disclosed, if appropriate, to other entities in order to facilitate the purpose for which the information was collected. Such entities generally include:

  • third-party service providers for the purpose of enabling them to provide a service such as (but not limited to) payroll, superannuation administration, IT service providers, data storage/processing, IT security, web-hosting and server providers; debt collectors, maintenance or problem-solving providers; security services; credentialing service providers; professional advisory (including legal, accounting, financial and business consulting); mailing house and delivery services; and banking, payment and insurance providers;
  • any applicable or relevant regulator or third party for the purpose of legislative or contractual compliance and/or reporting;
  • any related entities of Everlight Radiology; or
  • other entities if you have given your express consent.

We may also disclose your personal information to third parties in the following circumstances:

  • Where we are under a legal or regulatory obligation to do so (for example, to a court or tribunal in response to a legal request, to a subpoena or to the Australian Taxation Office) or to protect the rights and interests, property, or safety of Everlight Radiology, our members and users, or others;
  • If all, or substantially all, of the assets of Everlight Radiology are merged with or acquired by another party, in which case your personal information may form part of the transferred or merged assets;

Where possible, we will inform you, at or before the time of collecting your personal information about other types of organisations to whom we may, with your consent, disclose your personal information. Prior to such disclosures, Everlight Radiology will take all reasonable steps to satisfy ourselves that:

  • the organisation has a commitment to protecting your personal information; and
  • where necessary, you have consented to such disclosure.

From time to time, these parties may reside outside of Australia. Our contracts with these parties generally include an obligation for them to comply with Australian privacy lawand this Privacy Policy. However, you acknowledge that, by agreeing to the disclosure of your personal information to these entities outside of Australia, we will no longer be required to take reasonable steps to ensure the recipient’s compliance with the Australian privacy law in relation to your personal information and we will not be liable to you for any breach of the Australian privacy law by these overseas recipients. On this basis, you consent to such disclosure.

Direct Marketing

From time to time we may use your personal information to contact you about, among other things:

  • particular Everlight Radiology products and services being offered to Everlight Radiology members / users which we believe may be of interest to you;
  • changes to our organisation or our services; or
  • your use of Everlight Radiology’s Website or services.

We will generally only do this with your prior consent (where practical) and we will always give you the opportunity to opt out of receiving such communications at any time. Direct Marketing from Everlight generally takes the form of emails or telephone calls.

Every directly addressed marketing communication sent or made by Everlight Radiology will include a means by which you may unsubscribe (or ‘opt out’) of receiving further marketing communications. You may also instruct us at any time to remove any previous consent you provided to receive marketing communications from us. Requests should be directed to us via the channels provided under the 'Contact us' section of this policy (see section 16 below).

Links to third party websites

Our website may contain links to the websites of other entities. If you click on such links, you will be transferred to the website of those third-party entities. We have no control over, and are not responsible for, the privacy practices of these entities. You should read the privacy policy of those entities to find out how they handle your personal information when you visit their websites.

10  Personal information about employees, contractors or job applicants

Everlight Radiology may also collect personal information from you if you apply for a job (or a position as a contractor) with and/or become employed by (or contract with) us.  In these circumstances, you:

  • authorise us to collect any personal information (whether written or verbal) from any referee or previous employer specified in your application for employment or curriculum vitae for evaluation of your application for employment and to hold such information on your personal file for future evaluation of your employment by us;
  • acknowledge that your personal information is collected for the purpose of evaluating your application for employment by us and, should you accept employment with us, the assessment of your continued employment by us and the administration by us of your remuneration and any PAYG obligations.
  • You acknowledge that a failure by you to provide the requested personal information will have a detrimental effect on our ability to give your employment application proper consideration.  You can request to access and/or correct your personal information in accordance with this policy.

 

Updating or correcting your Personal Information

We will take reasonable steps to ensure the personal information we collect is accurate, up to date and complete. We will also take reasonable steps to ensure that when we use or disclose your personal information it is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure. However, we also rely on you to advise us of any changes to your personal information by maintaining and updating your profile or information with us.

During the course of our relationship with you, we will from time to time ask you to confirm whether your personal information is correct or has changed.

You may also inform us of any changes to your personal information or correct any inaccuracy by contacting us via the contact details in the ‘Contact us’ section of this policy (see section 16 below) so that we can update your file accordingly. However, where there are grounds to refuse to correct the information as requested, we will provide you with reasons for not complying with your request.

Accessing your Personal Information

You may request access to any of the personal information we hold about you at any time by contacting us via the contact details in section 16 of this policy.

You may access personal information we otherwise hold about you, subject to a small number of legal restrictions or exemptions.

While we do not generally charge you for requests to access your personal information, you should be aware that there may be reasonable charges (which will be notified to you when you make a request) for our time and cost associated with processing your request to access your personal information in the following circumstances:

  • if an extended amount of time is required to collate and prepare material for you; or
  • if you wish to have your files photocopied for you.

Access to your personal information may be denied on certain grounds including, for example:

  • it is unlawful;
  • it may have an unreasonable impact upon the privacy of other individuals; or
  • your request is frivolous or vexatious.

If we deny you access, we will advise you of the reasons for doing so at the time of your request.

Dealing with us anonymously or by pseudonym

In order for us to effectively do business with you or make our Website, services and associated content available to you, it will not, in most circumstances, be practical for us to deal with you without you providing relevant personal information to us. However, where it is lawful and practicable to do so, you may deal with us anonymously or by using a pseudonym. Such a situation might include where you make general enquiries about current or potential Everlight Radiology Services or promotional offers or the content on our Website.

Storage + Security

We will take all reasonable steps to protect your personal information by storing it in a secure environment. When the information is no longer needed for any purpose for which it was collected, used or disclosed, it will be destroyed or permanently de-identified.

We will also take reasonable steps to protect any personal information from misuse, loss, and unauthorised access, modification or disclosure, including by implementing security procedures for access to our business premises and within our offices, as well as IT security procedures including password protection, firewalls and site monitoring.

Although we aim to create a safe, secure environment by trying to limit access to the Website to legitimate users, we cannot guarantee that unauthorised parties will not gain access. We will not have any liability arising from any unauthorised access to your personal information.

Please contact us immediately if you become aware of any unauthorised use of your account by anyone else or any other breach of security (see the contact details in section 16 of this policy).

Changes to our Privacy Policy

We regularly review all of our business policies and may change this Privacy Policy from time to time, or as the need arises, without prior notice. You should periodically check the page on the Everlight Radiology Website containing our Privacy Policy and review the policy regularly to ensure that you are aware of any changes to its terms. This is the current Privacy Policy and may replace any other privacy policy previously published for Everlight Radiology.

This Privacy Policy was last reviewed on [INSERT DATE].

Contacting us

Please contact us via the contact details provided below if you want to:

  • want to obtain further information about the way we manage your personal information;
  • access your personal information held by us;
  • raise a concern or make a complaint regarding how we collect or handle of your personal information, including about a breach of this Privacy Policy or the Privacy Act 1988 (Cth); 
  • correct or update your personal information held by us; or
  • unsubscribe from any Everlight Radiology mailing list or have any questions or complaints regarding unsolicited electronic communications which you may have received or are concerned about.

Contact us at:

Website - https://www.everlightradiology.com/au/contact-us/

Write to us at:

The Privacy Officer
Everlight Radiology
L11, 70 Phillip Street
Sydney NSW 2000

Need more information about privacy?

For more general information regarding privacy in Australia, visit the website of the Office of the Australian Information Commissioner.

 

UK Privacy Policies 

This is the online privacy policy issued by Radiology Reporting Online LLP (trading as Everlight Radiology), Company number OC360458, Registered office: 25 Farringdon Street, London, England EC4A 4AB

We can be reached:

  1.        via email at enquiries@everlightradiology.com
  2.        by telephone on 0300 400 1111
  3.        at our postal address: Sixth Floor West 250 Euston Road NW1 2PG

When you use this website and transact with us online, we are committed to protecting the privacy of your personal information and handling it in accordance with the Privacy Act.

Everlight has a Data Protection Officer (DPO) whose role it is to ensure that data protection is built into the organisation’s culture and working practices.  If you have any questions about the use of your personal data, you should contact the DPO in the first instance.

The contact details of the DPO are:

Kate Cooper

kcooper@everlightradiology.com

0300 400 1111

Data protection principles

The GDPR came into force on 25 May 2018 and sets out the principles we, as a data controller, must adhere to when processing your personal data. 

The GDPR principles are as follows:

Lawfulness, fairness and transparency – data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation – data must be collected only for specified, explicit and legitimate purposes.

Data minimisation – data must be adequate, relevant and limited to what is necessary.

Accuracy – data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased.

Storage limitation – data must only be stored for as long as is necessary.

Integrity and confidentiality – data must be processed in a secure manner.

Accountability - the data controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles.

What Information Do We Collect?

The information we collect from you when you visit our website depends on the tasks you complete online. You may be:
* browsing this website;
* applying for a product or service online, completing registrations or surveys;
* making an enquiry or sending us an email.

When you browse this website the information we collect does not identify you and we do not combine it with any information in a manner that could identify you. The information that we use for statistical and maintenance purposes that allow us to evaluate the performance of our website.

The information we collect includes:
* aggregate information on what pages people access or visit (including the date, time and duration of their visit);
* the domain name of visitors to our web page.
* information volunteered by the visitors such as emails sent to us, survey information and/or site registrations.

When you apply for a product or service online we need to collect personal information from you in order to complete your online application for our products or services, or to identify you if you are paying for products or services online

When you are completing our online application forms or surveys, the forms explain the purposes for which we ask you for personal or sensitive information. Because of the nature of the service we provide, it may be that we ask you to provide us with information that is of a sensitive nature. Your decision to proceed with the services will constitute your agreement to provide and allow us to use such sensitive information.
To send an email to us or to make an enquiry online, you will need to complete an email form available on this website. This form may ask you for your email address or an alternative contact number. Any information requested in respect of the online enquiry form is used only for the purpose related to the request, such as to answer your query.

How Is The Information Collected?

The information we collect in respect of the number of visitors visiting this website is collected through code embedded in the pages of this website. With respect to cookies, we confirm that we use cookies to store visitor’s preferences and browser types, record session information, and record user-specific information on what pages uses access or visit.

How Is The Information Kept Secure?

We have appropriate security measures in place in our physical facilities to protect against the loss, misuse or alteration of information that we have collected from you at our site. In so doing, we have taken numerous steps to protect your personal information from misuse, loss, and unauthorised access, modification or disclosure. Additionally, we take reasonable steps to destroy or permanently de-identify personal information when we no longer need it.

How Is The Information Used?

Personal information that we collect is not traded, sold, leased or rented. If you supply us with your email address or postal address online you may receive periodic emails from us incorporating our newsletter or with information on our new products and services or upcoming events. If you supply us with your telephone number online, you may receive telephone contact from us with information regarding new products and services or upcoming events. If you do not want to receive emails, mailings or telephone calls from us in the future, please let us know by sending us an email at the above address (or using the unsubscribe function on our emails), calling us at the above telephone number or writing to us at the above address.
If you ask to be removed from our lists, please provide us with your exact name and address so that we can be sure to process your request efficiently.


We may make use of external companies for the following purposes:
* for web hosting services for this website;
* for maintenance or problem-solving;
* to gather non-personal information from cookies in order to evaluate the effectiveness of our website and to enhance it.

What’s the legal basis for processing?

If you ask to hear from us, the legal basis for processing will be your consent. You can change your mind by unsubscribing from our services.

Our use of cookies and other website tools, and the analysis and use of that information, is undertaken on the basis of our “legitimate interests” –  we have a legitimate interest in enhancing our services and promoting our business. You can control our use of cookies and certain other technologies through use of private browsing, cookie blockers, and other technologies, but this may interfere with the usability of our website.

Sending data overseas

Everlight is part of a global group of radiology services companies. Personal data obtained through our website may be transferred to other parts of our group. Where this happens, we will ensure that there are appropriate measures in place (usually use of the European Model Contractual Clauses) to make lawful the transfer of data overseas.

Automated decision making

“Automated decision making” means decisions made about a person without any human involvement. We do not make use of automated decision making through our website, although many of our website tools (for instance signing up to emails) will be supported by electronic systems.

Rights of access, correction, erasure, restriction and portability

You have the following rights under the GDPR:

  •   Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  •   Request correction of the personal data that we hold about you. This enables you to ask to have any incomplete or inaccurate information we hold about you corrected.
  •   Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
  •   Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
  •   Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  •   Request the transfer of your personal information to another party, also known as portability.

Please contact the DPO in writing (contact details above) if you would like to exercise any of your rights under the GDPR.

Please be aware that whilst a fee will not normally apply where there is a request to access your personal data, we may charge a reasonable fee if your request for access is repeated and/or clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Links With Third Parties

Our website includes links to third parties through hyperlinks. This Online Privacy Statement does not apply to such third parties, and we recommend that you read their privacy and security policies to see how they deal with your personal information online.

You have the right to lodge a complaint regarding our use of your data

Please tell us first, so we have a chance to address your concerns. If we fail in this, you can address any complaint to the UK Information Commissioner’s Office, either by calling their helpline or as directed on their website at www.ico.org.uk.

Privacy/Fair Processing Notice – Patients and Customers

If you are an Everlight customer or patient (Data Subject) this policy applies to you.

Who is Everlight?

Everlight is the trading name of Radiology Reporting LLP. Our contact details are:

6th Floor West, 350 Euston Road, London NW1 3AX

We are registered with the UK Information Commissioner’s Office under registration number 

Everlight has a Data Protection Officer (DPO) whose role it is to ensure that data protection is built into our culture and working practices.  If you have any questions about the use of your personal data, you should contact the DPO in the first instance.

The contact details of our DPO are:

Kate Cooper

kcooper@everlightradiology.com

0300 400 1111

What does Everlight do?

X-rays and other imaging is taken in hospitals and clinics to help to diagnose illness and injury. Specialist clinicians, called radiologists, are responsible for interpreting this imaging to assist treating doctors in working out the cause of a patient’s injury and the appropriate treatment for it.

Everlight provides a radiology reporting service 24 hours a day, 365 days a year around the world. Our business model follows the sun, so our team of 300 + consultant radiologists are always reporting in their daylight hours. This service aims to provide fast, safe and effective clinical reporting services to hospitals and clinics, where the expertise may not be available ‘in house’ because of the time of day, volume of reports needed, or a lack of local skills.

Our responsibilities

If you are a registered Everlight customer or patient we act as a data processor in connection with personal data on your behalf. A “data processor” means means an entity which processes personal data on behalf of the “data controller” (in our case, the NHS Trust, the hospitals and other customers on whose behalf we provide services).

This means we typically only process your data to help us provide our service to our customer, or in accordance with our customer’s instructions, or as required by law. Our customer is ultimately responsible for making sure that its patients’ personal data is treated in accordance with applicable data protection laws. That includes informing patients, in the first instance, how service providers (like us) collect and use data on their behalf.

We may also, on occasion, be a data controller in respect of some data we hold.

Your responsibilities

  • Read this Privacy Policy
  • If you are our customer, please also check the contracts between us: they may contain further details on how we collect and process your data.
  • If you provide us with personal information about other people, or if others give us your information, we will only use that information for the specific reason for which it was provided to us. By submitting the information, you confirm that you have the right to authorise us to process it on your behalf in accordance with this Privacy Policy.

Data protection principles

The GDPR came into force on 25 May 2018 and sets out the principles we seek to adhere to when processing your personal data. 

The GDPR principles are as follows:

  • Lawfulness, fairness and transparency – data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • Purpose limitation – data must be collected only for specified, explicit and legitimate purposes.
  • Data minimisation – data must be adequate, relevant and limited to what is necessary.
  • Accuracy – data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased.
  • Storage limitation – data must only be stored for as long as is necessary.
  • Integrity and confidentiality – data must be processed in a secure manner.
  • Accountability - the data controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles.

When and how we collect data, and the sources of the data we process

Our service operates by:

1)    Our customer (an NHS or other hospital) taking imaging of the patient;

2)    The imaging and other data being sent to us;

3)    The imaging being reviewed by a consultant radiologist using our secure systems and a report on that imaging being generated;

4)    The report on the imaging being sent back to the customer through our systems to be used as part of the care and treatment of the patient.

5)    We keep records about the service provided in order to bill our customers for the reviews undertaken, and to ensure the safety and quality of services we provide.

Data is sent to Everlight for processing when the customer sends the data or when the Data Controller advises us to pull the Data from the gateway. Everlight only acts on the instructions of the customer in this regard.

The categories of personal data we process

The data controller provides information on patient’s in order for Everlight to provide a Diagnosis Report.

Patient Demographics (name, address, Date of Birth Patient ID, NHS Number, Accession ), all information that is provided on the referral form  - for instance background or clinical history which is deemed relevant by the referring clinicians.

Images – we receive x-rays, CT scans, MRI scans and other kinds of radiographic imaging, in order to report on them.

We also receive details of the radiographers name and contact details, and the treating clinician’s name and contact details.

Why we collect data (the purpose and legal basis of the processing)

Obtaining personal  data is essential to the service we provide, and for the safe, timely and effective treatment of patients.

The legal bases (further to Article 6 GDPR) on which we process data is:

  • To comply with legal obligations (Article 6(1)(c)). We are regulated by the Care Quality Commission , and under CQC obligations we are required to maintain proper records of the care and treatment provided. Our clinicians are regulated by the GMC and are under professional obligations to provide care and treatment.
  • To protect data subjects’ vital interests (Article 6(1)(d)) – on urgent referrals, we will be working quickly to interpret the radiology and other information provided to us to report on the potential reasons the patient is unwell and to provide recommendations on treatment.
  • To serve the public interest (Article 6(1)(e)) – there is a public interest in providing safe and effective healthcare services.
  • To serve our legitimate interests (Article 6(1)(f)) – we need to process data and keep records of the treatment provided in order to ensure that our clinicians are paid for the work they do, to resolve any complaints or concerns about the treatment that has been provided, to undertake clinical audit, for insurance and professional regulatory purposes. [C2] 

Because the data we process is ‘health’ data, it is deemed more sensitive and therefore we also need to satisfy a legal basis in Article 9 GDPR. The legal bases we normally rely on are:

-          The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional…

-          The processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices[…]

These are given further effect by Schedule 2 paragraph 2 of the Data Protection Act 2018, which provides:

(1)This condition is met if the processing is necessary for health or social care purposes.

(2)In this paragraph “health or social care purposes” means the purposes of—

(a)      preventive or occupational medicine,

(b)      the assessment of the working capacity of an employee,

(c)       medical diagnosis,

(d)      the provision of health care or treatment,

[…], or

(f)       the management of health care systems or services […].

 

The recipients of data  we process

We treat all data in accordance with the principles of confidentiality. The people that may receive data we process are:

-          Our staff, and global network of clinicians (in order to provide 24/7/365 radiology reporting services, and to support the delivery of those services); and

-          The clinicians and staff at the hospital that has commissioned services from us.

Sometimes, it is necessary for us to share information with others in order to comply with legal obligations (for instance, because the Care Quality Commission or a professional regulator requires the provision of information), to comply with requests from law enforcement agencies (for instance the police)

Everlight is part of an international group of companies and in order to give good value and effective services, we may share information between those companies as part of the delivery of our services. For instance, some of our payroll data is processed in Australia. We ensure that where we share information between our companies (and with our radiologists) elsewhere in the world, UK standards of data protection are maintained.

Everlight uses state of the art software systems from the global leaders in clinical support. For example, this includes Intelerad (PACS system and Nuance (Voice recognition). Sometimes it is necessary for us to share your data with them in order to get these services to work well. Your data is shared only when strictly necessary and according to the safeguards and good practices detailed in this Privacy Policy. All of our third party providers are only able to access our system when they are given permission by a member of our IT Support Team. Everlight requires all of our Third Parties to complete Third Party Security Questionnaires annually and all of our Third parties are risk assessment annually and in their contracts they have agreed to follow Everight’s confidentiality requirements. The third party providers are not able to use your personal data for their own purposes.

If you have any questions or if you would like to see a complete list of our Third Party suppliers please let us know.

International data transfers

We may share data with clinicians working elsewhere in the world, using our secure network, and with other Everlight companies and contractors. These transfers are made lawful through use of the European Commission’s standard contractual clauses for international data transfers.

Automated decision making

We do not undertake “automated decision making” about individuals – that is, decisions without any human involvement at all.

How long do we keep your data?

Everlight currently used a waterfall system and images are kept for approximately 4 weeks and then deleted from the system. However, other information with regards to your study will remain on our system for the legally required time or as agreed with the Data Controller in our contract.

How do we keep your data safe and secure?

All patient identifiable information (PID) (images and referral) is transferred securely either via an encrypted (AES-256) SSL VPN tunnel, or a ISPEC AES-256 encrypted tunnel, to a secure Tier 3 Data Centre via the N3 Network. All remote machines have encrypted hard drives and data is purged upon user log-off. The log-off process is enforced via group policy. System monitoring is done via Everlight’s proprietary software. Everlight’s systems undergo regular independent penetration testing.   Data is stored in a secure Tier 3 Data Centre, which has strict access controls in place.

All our staff work under strict contractual obligations of confidentiality, and receive training on data protection matters. Clinicians are subject to professional regulatory standards which include confidentiality matters.

Your rights

The law on data protection gives you certain rights in relation to the personal data we hold about you. Theseare:

 

  • The right to be informed. This means that we must tell you how we collect and use your data (i.e. the details provided in this privacy notice).
  • The right of access. You can ask to see the data we hold about you which we will provide free of charge (in most circumstances). If you are interested in your clinical records or imaging you should, however, ask your healthcare provider in the first instance.
  • The right to rectification. You can ask for any inaccuracies to be corrected. If any of the data we hold about you is wrong you are able to ask us to correct it.
  • The right to ask for erasure: to ask to have your information deleted. If you want us remove any of your data you can ask us to delete it from our systems where it is no longer necessary for us to keep it. Please be aware, however, that we may not be able to comply with such requests.
  • The right to restrict processing of your data. You can ask us to stop using your data while we check that it is correct.
  • The right to object to the inclusion of any information if we are processing it based on a legitimate interest. You can tell us that you think the way that we use your data is wrong.

 

Where you have consented to us using your data you have the right to withdraw that consent at any time. Please note, however, that we do not normally rely on ‘consent’ as the legal basis for processing data – as set out above, we normally process data because we have a legitimate interest in  processing the data, or because we are under a legal obligation to do so.

Making a complaint

If you are concerned about the data we hold, how we are processing it or if you would like to see the data we hold about you please contact us on the details provided above.

If you think your data protection rights have been breached in any way by us, you are able to make a complaint to the Information Commissioner's Office. The contact details of the ICO are as follows:

Helpline: 0303 123 1113

https://ico.org.uk/concerns/

Privacy/Fair Processing Notice – Staff (including Radiologists and Contractors)

Everlight Radiology of 350 Euston Rd, London NW1 3AX and www.everlightradiolgy.com  is a "data controller" for the purposes of data protection legislation.  A data controller determines the purposes and means of processing personal data.

Personal data is any information which relates to an individual who can be identified from that information.

Processing includes the collection, recording, storage, use, disclosure or destruction of personal data.

Under the General Data Protection Regulation (GDPR) we are required to provide all data subjects with a privacy notice to inform the subject about why we process personal data and the legal basis for doing so.

This privacy notice applies to current and former employees, workers, contractors and volunteers (together ‘the workforce’) and it is important that you read through it carefully. This notice does not form part of any contract of employment or other contract to provide services and may be amended from time to time.

Everlight has a Data Protection Officer (DPO) whose role it is to ensure that data protection is built into the organisation’s culture and working practices.  If you have any questions about the use of your personal data, you should contact the DPO in the first instance.

The contact details of the DPO are:

Kate Cooper

kcooper@everlightradiology.com

0300 400 1111

Data protection principles

The GDPR came into force on 25 May 2018 and sets out the principles we, as a data controller, must adhere to when processing your personal data. 

The GDPR principles are as follows:

Lawfulness, fairness and transparency – data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation – data must be collected only for specified, explicit and legitimate purposes.

Data minimisation – data must be adequate, relevant and limited to what is necessary.

Accuracy – data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased.

Storage limitation – data must only be stored for as long as is necessary.

Integrity and confidentiality – data must be processed in a secure manner.

Accountability - the data controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles.

The workforce personal data processed by Everlight

The provision of personal data is necessary in order that the organisation can enter a contract with you to provide services for the organisation.  If you fail to provide the details requested, we may be unable to comply with the terms of any contract with you or comply with our legal obligations to you.

We process following categories of personal data about you:

  • Name, address, contact details

o   In order to enter into your contract of employment you are required to provide your personal details.  If you do not provide this information, we will not be able to employ you.

  • Terms and conditions of employment 
  • Qualifications and work experience as set out in job applications and CVs
  • CV – Permission to Share Resume Form (if Applicable)
  • Bank account details and national insurance number

o   In order to enter into your contract of employment you are required to provide bank details and your national insurance number to the organisation. If you do not provide this information, we will not be able to process payments to you.

  • Pensions scheme membership details

o   You are required under the terms of your contract to provide information about your pension scheme membership.   If you do not provide this information, we will not be able to administer your pension benefits. (if Applicable)

  • Information about your right to work in the UK

o   In order to enter into your contract of employment, you are legally required to provide evidence of your right to work in the UK. If you do not provide this information, we will not be able to employ you. (Passport and Visa if Applicable)

  • Information about criminal offences

o   In order to enter into your contract of employment, you may be required to provide a DBS check to enable us to verify your suitability for the position. If you do not provide this information, we will not be able to employ you.

  • Periods of leave which have been taken (annual leave and sickness absence, maternity, paternity, parental leave)

o   You are required under the terms of your contract and you are obliged under statute to provide information about periods of leave.   We require this information to provide you with your statutory and contractual benefits. If you do not provide this information, we may not be able to provide these benefits.

  • References
  • Disciplinary and grievance procedures including warnings
  • Records of appraisals and performance improvement plans
  • Special category data (Medical Questionnaire)

o   Information about your health, including any medical condition, health and sickness records and data about immunisations and vaccinations

o   information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity

  • Use of our IT, communication and other systems
  • Details in references about you that we give to others
  • Additional requirements for Radiologists: Scan preferences, Appraisal summary, Medical insurance certificate, GMC/NCAS declaration, Proof of address, GMC certificate

We collect personal information about our workforce through the recruitment process, either directly from candidates or sometimes from an employment recruitment agency or background check provider. Personal data about our workforce is collected in many ways: through communications with you either face to face or in writing, email or on the telephone; through monitoring of our websites and our computer networks and connections, CCTV and access control systems, communications systems, remote access systems, from your doctors, from medical and occupational health professionals we engage, email and instant messaging systems, intranet and internet facilities.

We may sometimes collect additional information from third parties including former employers, or other background check agencies.

We aim to ensure that our data collection and processing is always proportionate. We will notify you of any material changes to information we collect.

Why we process personal data

We process the personal data of our workforce for employment purposes.

We will only use your personal data when the law allows us to. The GDPR sets out six legal bases for processing personal data. The most common legal bases for processing your personal data are:

1. Where we need to perform the employment contract we have entered into with you.

2. Where we need to comply with a legal obligation.

3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We set out below the ways in which we process your personal data and the legal basis on which rely as set out in 1 – 4 above. 

  • Making a decision about your recruitment or appointment (Legitimate interest – the legitimate interest being the employment of a suitable workforce)
  • Determining the terms on which you work for us (Legitimate interest – the legitimate interest being maintaining good employment practices and ensuring consistency of terms of employment of the workforce)
  • Checking you are legally entitled to work in the UK (Legal obligation)
  • Where eligible, checking your criminal record (Legal obligation)
  • Uploading information onto Employment Staff Record (Legitimate interest - the legitimate interest being the employment of a suitable workforce)
  • Paying you and deducting tax and National Insurance contributions (Contract/Legal obligation)
  • Liaising with your pension provider (Contract)
  • Administering the contract we have entered into with you (Contract/Legal obligation)
  • Business management and planning, including accounting and auditing (Legitimate interest -  the legitimate interest being the effective and efficient provision of health care services)
  • Conducting performance reviews, managing performance and determining performance requirements (Legitimate interest - the legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices in the provision of the healthcare service)
  • Conducting disciplinary procedures – (Legitimate Interest - the legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices in the provision of the healthcare service)
  • Making decisions about salary reviews and compensation (Contract)
  • Assessing qualifications for a particular job or task (Legitimate interest - the legitimate interest being employment of a suitable workforce).
  • Gathering evidence for possible grievance or disciplinary hearings (Legitimate interest - the legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices and the effective provision of health care services).
  • Making decisions about your continued employment or engagement (Legitimate interest - the legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices and the effective provision of health care service.
  • Making arrangements for the termination of our working relationship (Legitimate interest - the legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices and the effective provision of health care services)
  • Education, training and development requirements (Legitimate interest - the legitimate interest being the employment of a suitable workforce)
  • Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work (Legal obligation)
  • Ascertaining your fitness to work (Legal obligation)
  • Managing sickness absence and assessing your right to occupational sick pay (Contract/Legal obligation).
  • Complying with health and safety obligations (Legal obligation)
  • To prevent fraud (Legal obligation).
  • To monitor your use of our information and communication systems to ensure compliance with our ISO27001/Corporate/GDPR and IT policies ([Legitimate interest – the legitimate interests being to monitor and manage staff access to our systems and facilities; to protect our networks, and the personal data of employees and service users, against unauthorised access or data leakage; to ensure our policies, such as those concerning security and internet use, are adhered to for operational reasons, such as maintaining employment records, maintaining service user records, training and quality control to ensure that sensitive information is kept confidential.)
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution. (Legitimate interest – the legitimate interests being to monitor and manage staff access to our systems and facilities; to protect our networks, and the personal data of employees and service users, against unauthorised access or data leakage; to ensure our policies, such as those concerning security and internet use, are adhered to for operational reasons, such as maintaining employment records, maintaining service user records, training and quality control to ensure that sensitive information is kept confidential.)
  • Equal opportunities monitoring (Legal obligation).

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

We will keep the personal data we store about you accurate and up to date. Data that is inaccurate or out of date will be destroyed. You are responsible for notifying us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you.

Consent

Under the Data Protection Act 1998, consent was the basis on which most employers processed the personal data of their workforce.  Guidance issued in relation to the GDPR has stated that consent should only be relied on as the legal basis for processing where it is freely given, specific, informed and unambiguous.  We will not, generally, rely on consent as a legal basis for processing your personal data but in certain circumstances it may be deemed appropriate.  Where you provide consent to the processing of your data, you will be asked at the time the data is processed and you should be aware that you will be able to withdraw your consent at any time. 

Special category data

We will only process special category data about genetic and biometric data, and data regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, and sexual orientation, where a further condition is also met.

The conditions which will usually apply are that we have a legal obligation to process the information, where it is necessary to assess your working capacity on health grounds or, less commonly, where it is needed in relation to legal claims.

We will use your special category data in the following ways:

  • information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws.
  • information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
  • information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.

Criminal offence data

The CQC requires that we, as CQC-regulated service providers, carry out DBS checks where we are authorised to do so under legislation. You should be aware that certain roles within the organisation will require either a standard, enhanced or enhanced with barred list information DBS check to be carried out.  For those providing healthcare services, standard checks may be obtained for individuals working in certain roles (IE Management and/or Reporting Radiologists)

“Any employment or other work which is concerned with the provision of health services and which is of such a kind as to enable the holder of that employment or the person engaged in that work to have access to persons in receipt of such services in the course of his normal duties”.

An enhanced check may be obtained for the roles listed in the ROA Exceptions Order and also in the Police Act 1997 (Criminal Records) Regulations.   

Enhanced DBS checks with barred list information can be obtained for individuals where roles fall under the definitions of regulated activity within the meaning of the Safeguarding Vulnerable Groups Act 2006 as amended by the Protection of Freedoms Act 2012.

We will only require a DBS check to be made where the role is eligible and the check shall be at the appropriate level only and no higher. We will assess the relevance of any cautions and convictions detailed in the DBS check to the role for which the applicant has applied.

Due to patient information being accessed, Everlight requires a DBS check for all radiologists. For Radiologist DBS checks if they indicate any concerns they could be passed onto our clients for approval. This approval is required in order for the reporting radiologist to report for the client. Please note consent from the reporting radiologist or non-clinical staff member being DBS checked would need to be provided before Everlight would share it with a third party. Please note this is sensitive information. The DBS would be kept for employment plus 6 years (this is in keeping with all of your HR information that you have provided). Please refer to Everlight’s Retention Policy for more information on how long your information is kept for.

Electronic Staff Record

On commencement of employment with Everlight, Non-Clinical staff will have their personal data saved on an HR Drive. This Drive will only be accessed by approved personnel. For Radiologists their personal data will be saved on a Operations Management Drive. This will only be accessed by approved personnel.  This allows Everlight to more effectively manage the workforce leading to improved efficiency and improved patient safety than having paper HR files.

Retention periods

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Retention periods for personal data will vary according to the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We ordinarily follow the retention periods set out in the NHS Records Management Code of Practice.

You should be aware that employee documentation is ordinarily retained for six years after termination of employment, which is the statutory limitation period for breach of contract claims, and then promptly deleted once that period has passed.  A summary of your records will be kept until your 75th birthday or six years after leaving whichever is the longer and then reviewed.  For unsuccessful job candidates, documentation is retained for six months after he or she is rejected for a role and then deleted.

However, it should be noted that there is some legislation which requires certain health monitoring data to be retained for up to 40 years and for clinical staff where there is a negligence claim in relation to a child, the normal three year personal injury limitation period is extended until that child reaches 21 years of age. We have put a system in place so that the data of staff which may be at risk of certain diseases or where they were involved in an incident that could give rise to a clinical negligence claim which require a longer retention period than six years are marked appropriately as needing to be retained for a longer period.

If we are able to anonymise your personal data so that you can no longer be identified from it, we may use such information without further notice to you.

Recipients of data

We may have to share your data with third parties, including third-party service providers.  We may also need to share your data with third parties such as external contractors and our professional advisers.  "Third parties" may included third-party service providers (including contractors and designated agents) and the NHS.  Some examples of our third-parties (Frontier, TM1 and Finance Force) that may receive personal information about you as Everlight contracts with external providers to handle aspects of payroll data and because of the global nature of these companies (e.g. Frontier, TM1 and Finance Force they may process data outside the EU (and in particular Australia and Japan. Everlight seeks to ensure that there are appropriate measures in place to keep data safe and that individuals’ rights are protected where such data is processed outside the EU.

We require third parties to respect the security of your data and to treat it in accordance with the law.

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

Please note that you can request a full list of third parties please contract Everlight’s DPO.

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Security

We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if the third party agrees to comply with those procedures and policies, or if it puts in place adequate measures.

Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.

Everlight undertakes a range of security measures to assure our security systems. These include Personal Data Breach rehearsals, BCP Testing, Penetration testing (annually) and ISO27001 audits with regards to our scope which is Patient information. Everlight does annual reviews of its Management system including Risk Treatment, Risk Management and we have metrics that we measure our ISMS on. Data Mapping is done annually for all departments as well as Privacy Impact Assessment are done for all departments.

Everlight do event log auditing to randomly ensure that the correct access to studies by our staff is audited. We do random annual cross checking of IT access against the official IT access to ensure that the access matches.

Everlight hold regular quarterly Information governance forums (IGF Meeting) where risks are a standard agenda item.

Technical Data Security

All patient identifiable information (PID) is transferred securely either via an encrypted (AES-256) SSL VPN tunnel, or a ISPEC AES-256 encrypted tunnel, to a secure Tier 3 Data Centre via the N3 Network.

All remote machines have encrypted hard drives and data is purged upon user log-off. The log-off process is enforced via group policy.

System monitoring is done via Everlight’s proprietary software. Everlight’s systems undergo regular independent penetration testing. 

Data is stored in a secure Tier 3 Data Centre, which has strict access controls in place.

Management of Data

Everlight only retrieves data for examinations which have been sent by the client. Radiologists do not have access to the client’s full RIS/PACS systems. Data is purged as per the contractual agreements with the Trust. Any access to PID is recorded and fully auditable.

Monitoring: Everlight monitors all critical network devices and critical applications via monitoring software. All critical alerts are captured in the service desk tool, there is a 24*7 IT team monitoring the service desk to action alerts.

Automated decision making

Everlight, currently does not use automatic decision-making systems. If Everlight does decide to use automated decision making, then we will communication this to the staff. However, if a decision is made use decision making systems please be aware that you will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Rights of access, correction, erasure, restriction and portability

You have the following rights under the GDPR:

  • Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to ask to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party, also known as portability.

Please contact the DPO in writing (contact details above) if you would like to exercise any of your rights under the GDPR.

Please be aware that whilst a fee will not normally apply where there is a request to access your personal data, we may charge a reasonable fee if your request for access is repeated and/or clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Right to contact the Information Commissioner’s Office

You should be aware that you have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. The contact details of the ICO are as follows:

Helpline: 0303 123 1113

https://ico.org.uk/concerns/