1. Who Is Everlight?

Everlight Radiology Limited takes its data protection and privacy responsibilities seriously. This notice explains how Everlight collects and uses personal information in the course of our business activities in our capacity of data controller for the purposes of applicable data protection legislation. Please read this notice carefully.

Everlight Radiology Limited Our contact details are:

6th Floor West, 350 Euston Road, Regent’s Place London NW1 3AX

ICO Information Commissioner Office

Please go to https://ico.org.uk/for-organisations/ for more information

We are registered with the UK Information Commissioner’s Office (ICO) under registration number ZB224415.

Previously Registered Under Radiology Reporting Online LLP Z3257763.

Data Protection Commission (DPC)

Please go to www.dataprotection.ie  for more information

Data Protection Commission (DPC) is the relevant supervisory authority responsible for approval of data protection criteria or mechanisms in certification schemes

We are registered with the Data Protection Commission (DPC) and our Companies Registration Office Ireland (CRO ) Registration number is : 652426 under the name of Everlight Radiology (Ireland) Limited

Data Protection Officer (DPO)

Everlight has a Data Protection Officer (DPO) whose role it is to ensure that data protection is built into our culture and working practices. If you have any questions about the use of your personal data, you should contact the DPO in the first instance. The contact details of our DPO are: Kate Cooper dataprotection@everlightradiology.com; phone: 0300 400 1111. Everlight’s DPO is registered with the ICO and the DPC.

2. What Does Everlight Do?

Computerised Tomography (CT) scan or Magnetic resonance imaging (MRI) MRI’s, X-Ray’s and other imaging is taken in hospitals and clinics to help to diagnose illness and injury. Specialist clinicians, called radiologists, provide services to those hospitals and clinics by interpreting this imaging to assist treating doctors in working out the cause of a patient’s injury or illness and the appropriate treatment for it.

Everlight services operate, broadly, by:

  1. Treating clinicians, doctors and other specialists at our customer (an NHS Trust hospital or clinic and/or other hospital or clinic customers on whose behalf we provide services) ) take an x-ray/MRI/CT and/or other imaging of an injured or ill patient;
  2. the x-ray and/or imaging and other data (‘Imaging’) are then provided to us (directly or indirectly) by our customer;
  3. We, with the support of our employee and consultant radiologists, review and interpret the Imaging using our secure systems, and arrange to generate a report on that Imaging (a diagnostic report);
  4. the diagnostic report on the Imaging is sent back to the customer through our secure systems is then used as part of the care and treatment of the patient.

3. Our Responsibilities

Patients
Everlight as data processor

We process personal information of patients on behalf of our customers when we provide our services to them (i.e. by providing the diagnosis report to the relevant hospital or clinic). When we do this, we act as a "data processor" under relevant data protection laws, whilst our customer will be the relevant "data controller".

In order to provide the diagnosis report to our customers, our customers provide us with the following personal information on patients that we will process on behalf of the customer as a processor:

  • Patient Demographics (name, address, Date of Birth Patient ID, NHS Number, Accession);
  • Referral form information - background or clinical history which is deemed relevant by the referring clinicians; and
  • Images – x-rays, CT scans, MRI scans and other kinds of radiographic imaging, in order to report on them.

We will only process patient personal information in order to provide our services to our customers or where required by law. As controller, our customer is ultimately responsible for making sure that its patients’ personal data is treated in accordance with applicable data protection laws. That includes informing patients, in the first instance, how service providers (like us) collect and use data on their behalf.

Everlight as data controller

There may be limited circumstances where we will be processing your personal information as a data controller.

We may process your personal information as a controller for record keeping purposes where we have a legal obligation to do so. We are regulated by the Care Quality Commission (“CQC”) , and under CQC obligations we are required to maintain proper records of the care and treatment provided. Our clinicians are regulated by the GMC and are under professional obligations to provide care and treatment.

We may also process your personal information as a controller for record keeping purposes where the processing is necessary for health care or insurance purposes, including where we have received a complaint or concern about the services that we have provided; to defend any legal claims; or to undertake clinical audit, for insurance and professional regulatory purposes.

If you have concerns or questions about our processing of your personal information in the context of Everlight’s services as described above, you should contact us using the information in the contact details noted above. Please note that if you contact us directly, we may need to disclose your request to the relevant customer.

4. Customers and Website Users

When and how we collect your personal data

We collect personal data about you if:
(i) you use our website;
(ii) use our services;
(iii) or contact us by post, telephone or email.

5. Types Of Personal Data We Collect

Depending on the purpose for which we use your data, we may collect and use certain personal data that is disclosed to us, including:

  • your name and contact details;
  • your marketing preferences;
  • any other personal information you provide in correspondence with us, for example where this is relevant to a complaint or query. (IMC/GMC number if applicable)

When providing our services, we also receive details of a treating radiographer’s name and contact details and the treating clinician’s name and contact details (at our customer). When providing our services via telephone we collect personal data through recording all incoming and outgoing calls for record keeping and quality control purposes, including for the purposes of quality audits, service level monitoring and for medico-legal purposes. These recordings will be stored in accordance with Everlight’s records management and record retention policies and practice. The recordings will be stored in Amazon Web Services instances located in the United Kingdom.

Through your use of our websites, we will also collect information - such as IP address and browser generated information (browser type, operating system), as well as information about your browsing session. We do not use this information to identify you as an individual, but in order to tailor or enhance your browsing experience, or in aggregate with data of other users for statistical purposes. Please see our cookies policy for further information about the cookies we use.

If you provide us with personal information about other people, or if others give us your information, we will only use that information for the specific reason for which it was provided to us. By submitting the information, you confirm that you have the right to authorise us to process it on your behalf in accordance with this Privacy Policy.

6. Why We Collect Data (the purpose and legal basis of processing)

Your personal information will be used for the purposes listed in the table below. Everlight will only collect, use and share your personal information where we are satisfied that we have an appropriate legal basis to do this. We have also described the legal bases which we rely in the table. The legal basis we rely upon will impact which rights you have in relation to your personal information (see section below for more details):

How we use your information

What is the legal basis for our use of your information

To deliver our services.

This processing is necessary to perform the contract between you and us.

We consider that we have a legitimate interest in providing our customers with products and services which they have

To conduct business with you.

This processing is necessary to perform the contract between you and us.

We consider that we have a legitimate interest in conducting business with our customers, as this is central to our business, helping us to preserve our business operations and grow our business

To correspond with you in relation to our services.

Where there is a contract in place between you and us, this processing is necessary to perform the contract between you and us.

Where there is no contract in place, or where there is a contract but this is between us and your employer (for example), this processing is necessary for our legitimate interests.

We consider that we have a legitimate interest in conducting business with our customers, as this is central to our business, helping us to preserve our business operations and grow our business

To invoice our customers for the services provided

This processing is necessary for our legitimate interests.

We consider that we have a legitimate interest in ensuring that all of our customers receive the best possible experience, helping us to preserve our business operations and grow our business. Understanding our customers' needs is a vital part of ensuring a great customer experience.

For record keeping purposes

 

This processing is necessary to comply with a legal obligations. We are regulated by the Care Quality Commission , and under CQC obligations we are required to maintain proper records.

Where there is no legal obligation, we consider that we have a legitimate interest in processing the personal information to ensure the safety and quality of services we provide.

To monitor your use of our websites in order to make improvements to the site and the user experience.

This processing is necessary for our legitimate interests.

We consider that we have a legitimate interest in ensuring that we are continually improving our services in order to preserve our business operations and grow our business, and ensuring that you are provided with information of relevance to you. However, where this activity is carried out using cookies which are not strictly necessary (see our cookie policy for further information) we will, where required by law, obtain your consent to such processing. Where such consent has been obtained, we will rely on this as our basis for processing.

To monitor, maintain and improve our IT environment, including security of our systems and website, and the applications that our customers use and that we use to manage our services.

This processing is necessary for our legitimate interests.

We consider that we have a legitimate interest in ensuring that we are continually improving our services in order to preserve our business operations and grow our business, and ensuring that you are provided with information of relevance to you.

For our employee training purposes.

This processing is necessary for our legitimate interests.

We consider that we have a legitimate interest in ensuring that we are continually improving our services in order to preserve our business operations and grow our business, and ensuring that you are provided with information of relevance to you. We consider that we also have a legitimate interest in ensuring that we are monitoring and improving the security of our website

In order to enable us to comply with any legal or regulatory requirements.

Our use of your personal information is necessary to comply with a relevant legal or regulatory obligation that we have.

To market to you about our products and services, and otherwise to identify goods and services which we believe may be of interest to you.

This processing is necessary for our legitimate interests.

We consider that we have a legitimate interest in ensuring that our customers are kept up to date with information about our products and services, as this helps us to preserve our business operations and grow our business.

However, where required by law, we will obtain your consent before sending you such information.

In any case, if you tell us that you do not wish to receive such communications from us, we will respect your wishes. Personal information is necessary to comply with a relevant legal or regulatory obligation that we have.

 

7. Sharing Personal Information

We treat all data in accordance with the principles of confidentiality. We share your information in the manner and for the purposes described below:

The people that may receive data we process are: -

  • Our staff;
  • Our global network of radiologists (in order to provide 24/7/365 radiology reporting services and to support the delivery of those services and manage our business);
  • the clinicians and staff at the customer (e.g. hospital or clinic) that has commissioned services from us;
  1. members of the Everlight group, where such disclosure is necessary to provide you with our services or to manage our business
  2. with third parties who help manage our business and deliver services. All of our third parties complete Third Party Security Questionnaires annually and all of our third parties have completed Everlight Due Diligence Documentation (DPIA/Data Mapping/Supplier Review ) which has been Risk Assessed/Approved by Everlight’s IT Security Manager/Information Security Manager/DPO and IT Support Manager. This is review Annually for Critical Suppliers and all other Suppliers once in a three year ISO cycle.;
  3. with our regulators, to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies;
  4. any person in connection with any legal proceedings or prospective legal proceedings, including in order to establish, exercise or defend our legal rights;
  5. we may share in aggregate, statistical form, non-personal information regarding the visitors to our website, traffic patterns, and website usage with our partners, affiliates or advertisers; and
  6. if, in the future, we sell or transfer some or all of our business or assets to a third party, we may disclose information to a potential or actual third-party purchaser of our business or assets.

8. International Data Transfers

Everlight operates on a global basis and we may share data with clinicians and radiologists working elsewhere in the world, using our secure network and with other Everlight companies and contractors located outside of the location in which you may be located or treated. Accordingly, your personal information may be transferred, processed and stored in countries outside the EU, including Australia., that are subject to different standards of data protection. Everlight will take appropriate steps to ensure that transfers of personal information are in accordance with applicable privacy laws and are carefully managed to protect your privacy rights and interests, and will take appropriate steps to ensure that transfers are limited to countries which are recognized as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights. Everlight uses Standard Contractual Clauses (SCC).

You have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments) to ensure the adequate protection of your personal data when this is transferred as mentioned above.

9. Automated Decision Making

“Automated decision making” means decisions made about a person without any human involvement. We do not make use of automated decision making, although many of our website tools (for instance signing up to emails) will be supported by electronic systems.


10. How Long Do We Keep Your Data?

We endeavour to ensure that personal information is kept as current as possible and that irrelevant or excessive data is deleted or made anonymous as soon as reasonably practicable. However, some personal information may be retained for varying time periods in order to comply with legal and regulatory obligations and for other legitimate business reasons.

We will generally retain your personal information only so long as it is required for purposes for which it was collected. This will usually be the period of your relationship with us plus the length of any applicable statutory limitation period following the end of such relationship, although some data may need to be kept for longer. For example, where required to comply with a legal obligation.

Where we are processing clinical images on behalf of our customers, Everlight currently uses a waterfall system and clinical images are kept for approximately 4 weeks and then deleted from our system. However, other information with regard to your study will remain on our system for the legally required time. Once reported, images are kept in a restricted cold storage environment and accessed for medical legal reasons in line with NHS retention policy or as agreed with the customer in our contract. We maintain a records retention policy which we apply to all records in our care. Where your personal information is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by Everlight.

11. How Do We Keep Your Data Safe And Secure?

Everlight are committed to protecting the security of the personal information you share with us. In support of this commitment, we have implemented appropriate technical, logical, physical and organisational measures to ensure a level of security appropriate to the risk. For example, amongst other measures, we maintain a security policy and store all of your personal information on our secure servers. All patient personal information is transferred securely either via an encrypted (AES-256) SSL VPN tunnel, or a ISPEC AES-256 encrypted tunnel to a secure Tier 3 Data Centre via the HSCN Network first and then via direct connections to our secure cloud data centre. All remote machines (used by radiologists around the world) have encrypted hard drives and data is purged upon user log-off. The log-off process is enforced via Everlight group policy. System monitoring is completed via Everlight’s proprietary software. Everlight’s systems undergo regular independent penetration testing. Data is stored in secure cloud data centres, which have strict access controls in place. All our staff work under strict contractual obligations of confidentiality, and receive training on data protection matters. Our clinicians and radiologists are subject to professional regulatory standards which include confidentiality matters.

Please note that we are not in any way responsible for the security or content of, and this privacy notice does not cover the processing of your personal information by any third- party services used in conjunction with our services. It also does not cover the use of services for which we are acting as Processor: in these cases the relevant controller should provide you with an additional notice.

12. Your Rights

Subject to certain exemptions, and in some cases dependent upon the data processing activity we are undertaking, you have certain rights in relation to your personal information.

With regard to any access request you may make to us in respect of your personal information, we may ask you for additional information to confirm your identity and, for security purposes, before disclosing any personal information requested to you. We reserve the right to charge a fee where permitted by applicable laws to do so, for instance if your request is manifestly unfounded or excessive.

You can exercise your rights by going to our website to find the way to contact Everlight https://www.everlightradiology.com/en-gb/contact-us Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information to fulfil your request.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

 

12.1       Right to access personal information

You have a right to request that we provide you with a copy of your personal information that we hold and you have the right to be informed of, inter alia, (a) the source of your personal information; (b) the purposes and legal basis of processing; (c) the data controller’s identity; and (d) the entities or categories of entities to whom your personal information may be transferred.

 

12.2       Right to rectify or erase personal information

You have a right to request that we rectify inaccurate personal information. We may seek to verify the accuracy of the personal information before rectifying it.

You can also request that we erase your personal information in limited circumstances where:

  • it is no longer needed for the purposes for which it was collected; or
  • you have withdrawn your consent (where data processing was based on consent – please note that we do not normally rely on ‘consent’ as the legal basis for processing data – the legal basis relied upon are set out in the relevant sections above); or
  • following a successful right to object (see right to object); or
  • it has been processed unlawfully; or
  • the personal data have to be erased for compliance with a legal obligation to which Everlight is subject.

 

We are not required to comply with your request to erase personal information if the processing of your personal information is necessary:

  • for compliance with a legal obligation; or
  • for the establishment, exercise or defence of legal claims;

12.3       Right to restrict the processing of your personal information

You can ask us to restrict your personal information, but only where:

  • its accuracy is contested, to allow us to verify its accuracy; or
  • the processing is unlawful, but you do not want it erased; or
  • it is no longer needed for the purposes for which it was collected, but you still need it to establish, exercise or defend legal claims; or
  • you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal information following a request for restriction, where:

  • we have your consent; or
  • to establish, exercise or defend legal claims; or
  • to protect the rights of another natural or legal person.

12.4       Right to transfer your personal information

You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where:

  • the processing is based on your consent or on the performance of a contract with you; and
  • the processing is carried out by automated means.

12.5       Right to withdraw your consent

Where we process your personal information based on your consent, you have the right to withdraw your consent at any time for the future, without affecting the lawfulness of processing based on your consent before its withdrawal.

12.6       Right to object to the processing of your personal information

You can object to any processing of your personal information which has our legitimate interests as its legal basis at any time on grounds relating to your particular situation.

If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.

12.7       Right to object to how we use your personal information for direct marketing purposes

You can object at any time to processing of personal data concerning you for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.

Alternatively you can request that we change the manner in which we contact you for marketing purposes. You can also request that we simply not transfer your personal information to unaffiliated third parties for the purposes of direct marketing or any other purposes.

12.8       Right to obtain a copy of personal information safeguards used for transfers outside your jurisdiction

You can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the European Union.

We may redact data transfer agreements to protect commercial terms.

12.9       Right to lodge a complaint with your local supervisory authority

You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal information. In the UK, the supervisory authority is the Information Commissioner (www.ico.org.uk).

We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.

If you have any questions, concerns or complaints regarding our compliance with this notice and the data protection laws, or if you wish to exercise your rights, we encourage you to first contact us using the above contact details. We will investigate and attempt to resolve complaints and disputes and will make every reasonable effort to honour your wish to exercise your rights as quickly as possible and in any event within the timescales provided by data protection laws.

13. Validity of the Procedure
This policy is reviewed annually by the Global IGF