WEBSITE AND COMMUNICATION PRIVACY POLICY

The security of your data is important to us. This privacy policy explains how we collect your data, what we do with it, and your rights regarding the data.

We may update this notice from time to time.

WHO WE ARE

Castle Craig Hospital Ltd is the data controller for the information collected on this, and other websites. This means that Castle Craig determines what information is collected, how this data will be used and how it is protected. We are fully committed to fulfilling our obligations to website users about their privacy and their rights.

Our registered address is:

Castle Craig Hospital

Blyth Bridge

West Linton

EH46 7DH

If you have any concerns about your data protection rights please contact l.douglas@castlecraig.co.uk

WEBSITES

The following websites are within the scope of this Privacy Policy:

www.castlecraig.co.uk

www.smarmore-rehab-clinic.com

www.guidetorehab.com

www.executive-rehab-guide.co.uk

www.castlecraig.fr

www.castlecraig.se

www.castlecraig.london

www.castlecraig.ro

www.castecraig.ie

www.castlecraig.com.mt

www.castlecraig.be

www.castlecraig.foundation

www.castlecraig.nl

www.eata.rehab

www.guidetorehab.co.uk

www.hyperbaricoxygentherapy.org.uk

 

COLLECTION OF PERSONAL DATA

We will collect data about you for the purposes of making your browsing a better experience, provide you with information you have requested, in your communication with us either on the phone or by email, to fulfil your contract with Castle Craig or in the course of our transaction with you or someone you know at Castle Craig.

This includes information that was obtained directly from you, either via our website or in communications, but may also include from time to time information that was collected about you- for example, from your family or friends who contact us.

We collect this information on the basis of either legitimate interest, where Castle Craig requires the information to provide its service and which isn’t outweighed by your right to privacy; for a lawful basis where Castle Craig is required to collect your data; where consent is required to process the information; or where it is necessary for the public good.

When you get in contact with us, the information that is collected about you may include:

Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses

Date of birth

Gender

Marital status and dependants

Next of kin and emergency contact information

Communication between Castle Craig and you

Financial information for payment purposes

Technical information

In addition, and in order to ensure that each visitor to any of our websites can use and navigate the site effectively, we collect the following:

Technical information, including the Internet Protocol (IP) address used to connect your device to the Internet;

Your login information, browser type and version, time zone setting, browser plug-in types and versions;

Operating system and platform;

Information about your visit, including the Uniform Resource Locators (URL) clickstream to, through, and from our site.

HOW INFORMATION IS KEPT SAFE

Information is retained in secure electronic and paper records and access is restricted to only those who need to know.

We also anonymise or pseudonymise your information where appropriate to protect your identity.

All of our staff are subject to strict confidentiality policies.

WHO THE DATA IS SHARED WITH

Your data is kept within Castle Craig, unless it is necessary to share with third parties.

We transfer your data to other companies for the purpose of the normal management of the business, to cloud-based hosting providers. Where this is the case, safeguards are put in place to secure your data- including ensuring that the host provider’s security is acceptable and contractual obligations for providers to comply with the GDPR.

We may data with third parties where Castle Craig Hospital has a legal obligation to do so.

We may share your data with other people that you request we share it with, for example family or friends. We may share your data with other bodies, for example social care or educational services- where we do, will gain your consent unless we are legally required to share the information.

You have a right to revoke your consent to sharing data where your consent is necessary, and we will explain the consequences of this when you do.

Under certain circumstances, your data may be transferred outside of the UK to other EEA countries, or to countries outside of the EEA. Where this is the case, Castle Craig Hospital ensures the security of your data with strict safeguards including contractual obligations for third parties outside of the EEA to comply with GDPR requirements and encryption of data.

HOW LONG IS INFORMATION KEPT

Your information will be kept for different lengths of time, but in all cases, for no longer than is necessary.

Where you give us information, but do not enter treatment, this information will be deleted after being held for six months. Where you, or the person on whose behalf you were ringing, does come into treatment, your communications with us will be held for six years following discharge to comply with the statute of limitations. Where you give us financial information for the payment of treatment, this will be kept for the legal requirement of 7 years.

Where you, or the person on whose behalf you were ringing, does come into treatment an updated privacy policy will be sent to the patient at that time.

YOUR RIGHTS

Under the GDPR, you have a number of rights regarding your personal data. These are:

  1. The right to be informed of data that is processed about you;
  2. The right to request access to your data, to be provided within 30 days of the request or 2 months for complex cases at no cost except under certain circumstances;
  3. The right to rectify information held, to be corrected within 30 days of the request or 2 months for complex cases;
  4. The right to erasure- where appropriate, your data can be deleted at your request. This will apply only where the Company recording the information is no longer necessary or they do not have an overriding legitimate interest to do so;
  5. The right to restrict processing- under certain narrow circumstances, you will have the right to restrict the Company from processing the data
  6. The right to data portability- under certain circumstances you can request to copy of transfer your information from one IT environment to another
  7. The right to object to processing- under certain circumstances you can object to the processing of the data, and the Company must halt processing unless it can demonstrate an overriding legitimate interest.

COMPLAINTS

You have the right to lodge a complaint to Castle Craig Hospital regarding any rights you have under the GDPR. Please contact HR manager Lucy Douglas at l.douglas@castlecraig.co.uk.

You have the right to lodge a complaint to the Information Commissioner’s Officer if you believe the Company has not complied with the GDPR. Contact at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Telephone: 0303 123 1113

Via email here: https://ico.org.uk/global/contact-us/email/

Or the Scottish office here:

The Information Commissioner’s Office – Scotland

45 Melville Street

Edinburgh

EH3 7HL

Telephone: 0303 123 1115

Via email here: Scotland@ico.org.uk