Privacy Notice

Rutherford Direct Membership Plan

The confidentiality of personal information is of paramount importance to Proton Partners International Ltd. This Privacy Notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us in accordance with UK data protection legislation.

We may need to update this Privacy Notice from time to time and where we are already processing your personal data, we will notify you of any significant changes.

Who we are

Proton Partners International Ltd is a Company registered in England and Wales (company number 12084009). We are a registered data controller with the Information Commissioners Office, registration number ZA213326.

This Privacy Notice informs you specifically about our Rutherford Direct Membership Plan (MP) provided by Proton Partners International Ltd. This plan provides Rutherford Direct Plan members access to treatment and procedures for cancer undertaken in Rutherford Cancer Centres located in the United Kingdom and other eligible providers. Eligible illnesses and medical conditions are described in the Membership Guide. Benefits provided under this plan begin only once you have received an initial diagnosis by a Consultant or Specialist of a condition as listed in the Membership Guide.

The Rutherford Direct Membership Plan Benefits service recommends doctors and treatment centres appropriate to your needs. It funds and manages both the practical and medical arrangements for treatment. The Plan provides specified benefits as set out in the Membership Guide. Where the term ‘we’ or ‘us’ is used, this relates to Proton Partners International Ltd. Our nominated representative, for the purpose of data protection legislation, is our Data Protection Officer whose contact details can be found at the end of this Notice.

1. What is personal data?

The term ‘personal data’ relates to any information that can, or has the potential to, identify you as an individual such as your name, address, e-mail address, phone number. It also includes less obvious information such as identification numbers, electronic location data and other online identifiers. Certain types of personal data are referred to in data protection legislation as ‘special categories’ of personal data. This is because they are classed as more sensitive and require additional protection.

Such information includes information about an individual’s:

· Race

· Ethnic origin

· Politics

· Religion

· Trade union membership

· Genetics

· Biometrics (where used for identification purposes)

· Health

· Sex life

· Sexual orientation

Processing personal data in line with data protection legislation

We will process your personal data in line with data protection legislation as follows:

· We will always process personal data lawfully and fairly and in a transparent manner. We will ensure this Privacy Notice is available on our website and relevant extracts are provided when you register for our services.

· We will process personal data to provide the range of services available through our membership plan and as described in this Privacy Notice.

· We will ensure that whenever we collect personal data it is adequate, relevant, and not excessive in relation to the purpose for which it is being processed.

· We will ensure information processed is accurate and kept up to date by asking you to confirm when you access our services that the information, we hold about you is correct.

· We will ensure that your personal data is kept in a form that allows us to identify you for clinical purposes but is not kept in an identifiable format for longer than is needed. Where we need to keep your identifiable data longer for scientific, research or statistical purposes we will ensure that the appropriate technical and organisational measures are applied to protect the confidentiality of the information.

· We will ensure that the processing of your personal data is carried out securely and confidentially. This means that we have policies, procedures, and training in place to ensure robust security controls are applied to the processing of your data.

2. What personal data do we collect?

We collect personal data and special category data (where relevant) to be able to provide the Rutherford Direct MP. The type and amount of personal data we collect will depend on our relationship with you as described below:

2.1. Making enquiries about our Membership Plan

When you contact us in person, by telephone, email, fax, letter, social media or through completion of a website enquiry form, to enquire about the Rutherford Direct MP, we will only collect personal data that is necessary to enable us to respond to your enquiry. The type of information collected will depend on the type of enquiry.

The types of information we will routinely collect on an enquiry will include:

· Name

· Address

· Contact details

· Age

· Nature of enquiry

To help us deal with your enquiry we may also need to collect more detailed information about your personal circumstances and health, or the information about your Company and its employees (if enquiring about corporate membership).

We may need to share your information with our team of healthcare professionals and medical practitioners to help us provide you with the most appropriate response to your enquiry.

If you provide personal information about another individual, you must inform them of this Privacy Notice. We will never relay or discuss personal information we hold about an individual to another individual without their consent or where evidence is provided of a lawful basis i.e., power of attorney.

2.2. Applying to join the Rutherford Direct MP

When you apply to join the Rutherford Direct MP, you will be asked to provide certain personal information to allow us to register your membership. Information required to register under the membership scheme is as follows:

· Full name and title

· Gender

· Date of birth

· Email address

· Height and weight

Should you proceed to register for a membership plan, following receipt of a quote, you will be asked for further information:

· Telephone number

· Full postal address

· Occupation

If you are a Corporate organisation applying for corporate membership of your employees, you will be asked to provide the following information:

· Name of Company

· Nature of Business

· Full postal address

· Telephone number

· Name of Company administrator

Information on individual employees will be required:

· Title

· Full name

· Gender

· Date of birth

· Position in Company

· Name of dependents (that wish to be included in the membership plan)

2.3. Website Management

Where you access our website, we may obtain your Internet protocol (IP) address and information that reveals your activity on the site. See section 10 for further information.

2.4. Direct Marketing

Where we conduct direct marketing campaigns for a Corporate Organisation, we may process your name if it is included in a corporate email address. This information is obtained from third party sources.

3. What is our lawful basis for processing your personal data?

Under data protection legislation we must always have a lawful basis for using personal data and special category data (as described earlier). The law provides a set of lawful purposes for processing personal data, such as:

· ‘The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.’ (The Contract Basis).

· ‘The data subject has given consent to the processing of his or her personal data for one or more specific purposes.’ (The Consent Basis.)

· ‘Processing is necessary for compliance with a legal obligation to which the controller is subject.’ (The Legal Obligation Basis).

· ‘Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’ (The Public Interest Basis).

· ‘The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.’ (The Legitimate Interests Basis).

When processing special category data there are different lawful purposes that also need to be identified, in addition to those set out above, such as:

· ‘Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to a contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3’ (The Health Care Basis).

· ‘Processing is necessary in order to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent’ (The Vital Interests Basis).

· ‘Processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity.’ (The Legal Claims Basis).

· ‘Processing is necessary for reasons of substantial public interest on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject domestic law’ (The Substantial Public Interest Basis).

· ‘Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of domestic law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy domestic law’ (The Public Health Basis).

· ‘Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) as supplemented by section 19 of the 2018 Act, based on domestic law which shall Be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.’ (The Scientific Research Basis).

· ‘The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where domestic law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject’ (The Explicit Consent Basis).

Depending on the reason for us processing your personal data, there may be several lawful purposes that will apply, and which may be relevant at different times.

This section describes the lawful basis for processing personal data and special category for the purpose of providing the Rutherford Direct MP.

We set out below the lawful bases that we will rely upon. To make it easier to understand which of these applies to you we have specified the lawful bases for each of the categories of individual whose personal data we process.

Contract:

When you contact us and provide information to us with a view to receiving services from us, and/or when you contact us to apply for the Rutherford Direct MP, we process your personal data to meet those requests.

We therefore rely on this lawful basis for processing:

‘The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract’.

Legal obligations:

We are subject to a range of legal obligations in relation to the services we provide. These may range from our requirements under the UK Companies Act, employment law, tax purposes and regulatory requirements laid down in healthcare legislation.

We therefore rely on the following lawful purpose:

’Processing is necessary for compliance with a legal obligation to which the controller is subject.’

Legitimate interests:

The term ‘legitimate interests’ relate to our normal business activities which we carry out, and which would reasonably be expected as part of the running of our business and which does not impact your rights, freedoms or interests.

When you contact us to enquire about services or apply to take out the Rutherford Direct MP, we process your personal data in order for us to respond to you and provide you with the required information and services.

Data protection legislation requires that any processing must be ‘necessary’ and on all occasions we must balance our interests as a company against those of the individual’s. If the individual would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override our legitimate interests. We will always ensure that our legitimate interests do not cause unjustified harm to you.

The aim of our Rutherford Direct MP, is to provide access to services for those members who meet the eligibility requirements of the membership plan and therefore personal data is collected and processed to achieve this aim.

We therefore rely on the following lawful purpose:

‘The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.’

Special Category Data

In the planning and delivery of our services, it is necessary for us, and the companies who administer the membership plan on our behalf, to process special category data in order to administer your membership claims.

The lawful process by which we can process special category data is as follows:

‘Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3’.

Additionally, there may be situations where complaints or claims are made against us a company or against our independent medical practitioners and where the processing of special category data is necessary to respond to those complaints or claims.

The lawful purpose we would reply on for special category data in these circumstances is as follows:

‘Processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity.’

Consent

We will always ask for your consent to send you information on our services. You can opt in to receiving information when you complete our online forms or are provided with opportunities to join mailing lists.

There may be other circumstances where we require your consent. Wherever the processing of your personal data requires consent we will ensure we provide you with full information to allow you to make an informed decision:

‘The individual has given clear consent for you to process their personal data for a specific purpose.’

4. Who your information is shared with

Within the day to day running of our business, we may use third party organisations to support the essential delivery of services. These may be IT service providers, financial advisors, storage & shredding companies, debt management companies, call handling providers. We may also be required to share personal information to prevent fraud and to assist the police in the prevention and detection of a crime.

Where third party organisations are used, who may have access to your personal data, we ensure that there is a lawful basis for sharing, and contracts and security checks are undertaken, as necessary.

5. Processing of Rutherford Direct MP

When you become a member of the Rutherford Direct MP, certain personal information and health information may be shared between the Companies who are involved in managing your membership and if applicable, administering your claim. Only the minimum amount of information necessary to arrange treatment will be shared.

This includes the following functions:

Administrative support is provided within the Rutherford Health Group by Rutherford Health plc. Such administrative support includes directing enquiries to Proton Partners International Limited, provision of IT services, finance, governance, and marketing functions.

Northcott Global Solutions:

The Rutherford Direct MP membership claims service is administered by Northcott Global Solutions. Northcott Global Solutions require access to your personal data in order to administer your membership claim. Only the minimum amount of personal data necessary for Northcott Global Solutions to process your membership claims is shared between Proton Partners International Ltd and Northcott Global Solutions. Personal data may include:

· Personal demographic and contact information.

When a membership claim is made, Northcott Global Solutions will request additional personal information from you in order to process your claim. Personal information may include medical information (cancer diagnosis, medical reports in accordance with the Membership Plan Guide). Where any personal data is collected, Northcott Global Solutions will make accessible, a privacy notice which explains their lawful basis for the processing of your personal data.

Treatment:

Where you attend a healthcare centre to receive treatment under your membership plan, each healthcare provider will provide access to their privacy statement which explains how they will process your personal data.

Membership Payment:

Payment subscriptions to the Rutherford Direct MP are facilitated by AllPay Solutions. Only the minimum amount of personal data necessary for AllPay Solutions to collect payment subscriptions, is provided by Proton Partners International Ltd to AllPay Solutions. Their privacy notice and information on how they process data can be accessed here https://www.allpay.net/privacy-statement/

6. International Transfers

Where we, or third-party companies who we engage with, ‘process’ data (transfer, store) outside of the of the UK, we ensure that appropriate security checks are undertaken, and that processing is in line with the data protection legislation.

Where data is processed outside of the UK, it will be processed by staff operating outside the UK who work for us or for third party companies engaged by us.

7. How we protect the security and confidentiality of your personal data

All employees are bound by contractual confidentiality clauses in employment contracts, receive mandatory training in data protection and confidentiality and process information under the direction of mandatory policies and procedures. Audits are carried out to ensure information recorded and created is accurate, up to date and kept securely.

Where information is shared with third party organisations, due diligence is undertaken which include security assessments, and contracts and data sharing agreements are in place.

8. Marketing

Business to Customer:

We would like to keep you updated on the services and treatments that we provide but will only do so where you have opted in to receive such updates. When you access our services, you are provided with an option to join our mailing list. You may also have the opportunity to opt in through links or forms when you visit our website or by completing forms when you attend events. When you opt in to receive information on our services, should you wish to stop receiving updates you can either contact us and we will remove you from any mailing lists, or use the opt out link which are embedded within our communications to you.

We never share or sell your data to external marketing companies.

Business to Business:

To promote the Rutherford Direct brand and product, we may conduct direct marketing campaigns to target corporate clients who may wish to purchase our product as an employee benefit. These campaigns will be conducted by either using prior consent from the individual or using a third-party mailing list. Where ‘Legitimate Interests’ is relied upon as a legal basis for processing, the individual reserves the right to opt-out at any time. Any direct marketing conducted under ‘Legitimate interests’ will only be used in relation to business-to-business customers.

Where you have been directed to this page following the receipt of an e-mail, your company contact details have been obtained from Databroker ltd, which is a Company that builds data lists for the purpose of business-to-business direct marketing campaigns.

We may also contact your Business where we have identified significant website use, using your Company IP address. See section 10 for further information on how we use cookies to monitor website use.

9. Your rights under data protection legislation

The right to be informed:

You have the right to be informed of how we process your personal data. We inform you of how we process your data, through the provision of this Privacy Notice, and in notices we provide when you register for our services. We also inform you of other types of processing such as call recording or

CCTV through notices and recorded messages. You can also contact us at any time to query any aspect of the processing of your data.

The right to access your personal information:

You may contact us to request details of the type of processing we carry out on your personal data and a copy of the personal information which we hold about you. This is known as a Subject Access Request and must be submitted in writing to the Data Protection Officer at the address shown below.

We must process your request within one month of receipt of the request, however, if it is a complex request we may need to extend this by up to two months. You will be kept informed if an extension is required.

The right to rectification:

You have the right to have incorrect personal information amended or completed if it is incomplete.

The right to erasure:

You have the right to request that we delete the personal information we hold about you. However, there are exceptions to this and in certain circumstances we may not be able to comply with your request. For example, the right of erasure of personal information does not apply to special category data where it is being processed for medical diagnosis and the provision of health and social care.

The right to restrict processing:

You have the right to limit the way we use your personal information in certain circumstances. For example, this may occur if:

· you have asked us to amend inaccurate information or;

· you feel that your information has been unlawfully processed.

The right to data portability:

Where we are processing personal data purely in electronic format, there may be circumstances where you can request to have your data transferred (if technically possible) to another individual or organisation of your choice in an electronic format.

The right to object:

You have the right to object to the processing of your personal data in certain circumstances.

Direct Marketing:

You can ask us to stop processing your personal data for direct marketing at any time. When we receive an objection to processing for direct marketing, we must stop processing your data for this purpose.

Legitimate Interests:

You have the right to object to us processing your personal data for our legitimate interests (i.e. our business reasons) however you must give specific reasons to why you are objecting. We may not be able to meet your request depending on the reasons stated.

Automatic decision-making and profiling

We do not use automated decision-making tools or profiling when you provide us with personal information.

10. Personal data collected when using our website

When you visit our website, we automatically collect the following information:

· Technical information, including the IP address used to connect your computer to the internet, browser type and version, time zone setting, browser plug-in types and versions, operating system, and platform.

· Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.

Use of Cookies – Tracking

The website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience and allows us to collect information about how the website is used, and subsequently provides an opportunity to improve the site. By continuing to browse the site, you are agreeing to our use of cookies.

We also use 3rd party cookies to identify your IP address, which is then matched against public and propriety IP address databases to provide us with information about your visit. This information may identify the organisation to whom the IP address is registered but not individuals, except for limited cases where single person companies include personal data in public records. We use this to help us identity Companies who may be interested in our product.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

See our cookies policy for further information.

11. How long do we keep personal data for?

Under data protection legislation personal data must only be processed for as long as it is necessary and not kept for an excessive period of time. How long we keep your personal data will depend on our relationship with you (i.e. the purpose for which we have obtained your personal data).

We retain personal data to provide our services, stay in contact with you and to comply with applicable laws, regulations and professional obligations that we are subject to.

Where personal data is received as part of a contract, clauses within the contract will specify the retention period and return or deletion of personal data as relevant to each contract.

Enquiries about our products: Retained for 12 months Membership applications: Retained for 7 years after a plan ends Complaints: Retained for 6 years after a complaint has been dealt with

12. How to contact us

You can contact the Data Protection Officer by writing to us at:

The Data Protection Officer, Proton Partners International Ltd, Suite 4 Penn House, 9-10 Broad Street, Hereford, HR4 9AP

How to complain

If you believe that your information has been unfairly or unlawfully used, you have the right to contact the Information Commissioner’s Office at the address below:

Information Commissioner’s Office, Wycliffe Hous,e Water Lane, Wilmslow, Cheshire, SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745

This Privacy Policy was last updated on 1st February 2021