LIPS Healthcare

Your privacy is important to us. This Privacy Notice explains the manner in which London International Patient Services Limited (company no. 10111760), LIPS Holdings Ltd (company no. 15181415) and its wholly-owned subsidiary, LIPS Battersea Ltd (company no. 15262656) ("LIPS Healthcare", "we" and "us") collects, uses, maintains, and shares information about:

visitors to our website located at Expert Private Healthcare | LIPS Healthcare (lips.org.uk)
users of our healthcare services provided at the LIPS Pharmacy or LIPS Healthcare Clinic at Battersea Power Station ("Battersea")
customers of healthcare professionals who provide services at locations other than Battersea and who are supported by LIPS Healthcare. Such healthcare
professionals use our systems to hold your personal data and manage their delivery of services to you

We handle a wide range of information about you in order to support you and your needs. This Privacy Notice provides details of the personal data we collect from you, what we do with it, how you might access it and who it might be shared with. We do not knowingly collect the data of children. Please do not provide data to us unless you are at least 18 years old.

1. Who 'we' are

Data Controllers are responsible for deciding how your data is held and used, and taking care of your data.

When you visit our website or make an enquiry by email or telephone then London International Patient Services Limited is the Data Controller of your personal data
If you receive services from Battersea, then LIPS Battersea Ltd is the Data Controller of your personal data
In all other cases where you receive care from a healthcare professional supported by LIPS Healthcare, London International Patient Services Limited is the Data Controller of your personal data

When we use the words 'LIPS Healthcare,' 'we', 'us' or 'our', this refers to the relevant company as outlined above.

As a Data Controller we ensure that anyone we work with, who might need to access your data, also takes care of it and follows our rules.

2. What we do with your personal data

The purposes for which we use your personal data are dependent on whether you use our website, our Battersea services and/or are accessing services provided by a healthcare professional supported by LIPS Healthcare.
If you use our Battersea services we use your personal data for the provision our healthcare services and the performance of our contract with you.
If you are the customer of a healthcare professional supported by LIPS, we will use your personal data to provide support services to that healthcare professional. These include, maintaining your patient record, arranging appointments and dealing with payments and insurance claims.
If you use our website, we will use your personal data to ensure the smooth running of the website.
We may also use your personal data for other similar purposes, including marketing and communications, but that will only occur if we have your consent or another legal justification for doing so.
Further detail about the purposes for which we use your personal data is set out at section 5 below.

When we use the words 'LIPS Healthcare,' 'we', 'us' or 'our', this refers to the relevant company as outlined above.

As a Data Controller we ensure that anyone we work with, who might need to access your data, also takes care of it and follows our rules.

3. What personal data do we collect?

In this policy your "data" means information or pieces of information relating to you or that could allow you to be directly or indirectly identified.

When we refer to a "LIPS Healthcare professional" we mean a healthcare professional who delivers services on behalf of LIPS Healthcare at Battersea or who uses LIPS Healthcare to provide administrative support.

We may collect, use, store and transfer different kinds of data about you:

People who receive services from a LIPS healthcare professional

Contact Data includes data such as your email address, telephone number and correspondence address.
Identity Data includes data such as first name, last name, username or similar identifier, date of birth and gender assigned at birth, photographs of you that you send to us for identification purposes.
Health Data includes any information you provide to us or a LIPS healthcare professional about your physical or mental health, including images, correspondence/reports relating to your health, current medication and your GP details if you choose to provide these to us. It also includes details of your appointments.
Financial Data includes bank account and payment card details.
Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
Profile Data includes any communications you have with us, purchases or orders made by you, your preferences, feedback and survey responses; and any information about you that we may legitimately access from social networking sites, for example, if you post about our services.
Insurance Data includes information about your insurance company (if any), the extent of your cover and any claim that you make against your insurer in relation to our services.
Marketing and Communications Data includes your preferences in receiving marketing from us, selected third parties and your communication preferences.

People who receive services from a LIPS Healthcare professional

Special Categories of Data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, and genetic and biometric data where this is used for identification purposes.
Criminal Convictions Data includes details about your criminal convictions and offences where relevant for your treatment.

If you fail to provide personal data, where we need to collect it by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with healthcare services). In this case, we may have to cancel your appointment, but we will notify you if this is the case at the time.

4. What rights do you have over your personal data?

Right of access: you have the right to obtain from us a copy of the data that we hold for you, and check that we are lawfully processing it.
Right to rectification: you can require us to correct errors in the data that we process for you if it is inaccurate, incomplete or out of date, though we may need to verify the accuracy of the new data you provide to us.
Right to portability: you can request that we transfer your data to another service provider if you initially provided consent for us to use the data or where we used the data to perform a contract with you.
Right to restrict or object to processing: in certain circumstances, you have the right to require that we restrict the processing of your data if you believe our processing impacts on your fundamental rights and freedoms. However, we may demonstrate that we have legitimate grounds to process your data not withstanding your rights and freedoms.
Right to be forgotten: you also have the right at any time to require that we delete the data that we hold for you, where it is no longer necessary for us to hold it. However, whilst we respect your right to be forgotten, we may still retain your data in accordance with applicable laws, and when we respond to your request we shall notify you of any specific legal reasons that we have to retain your data.
Right to stop receiving marketing information: you can ask us to stop sending you information about our services, but please note we shall continue to contact you in relation to any matters relating to your account, if you have one.
Right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Right to withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

5. How we lawfully process your data

We will only use your data where we have a lawful basis to do so (also known as an Article 6 condition). The lawful basis that we rely on are:

For Battersea patients, performance of our contract with you – including carrying out any preliminary checks needed before agreeing to provide you with services.
Compliance with legal requirements.
Legitimate interests. When we refer to legitimate interests we mean our legitimate business interests in the normal running of our business which do not materially impact your rights, freedom or interests. We do not use your personal data for activities where our interests are overridden by the impact on you.

There are special rules about how we can use Health Data. For Health Data, in addition to the lawful basis outlined above, we must also comply with an Article 9 condition. Below we have set out the conditions that we are relying upon under both these Articles in order to use your data.

Purpose	Type of data typically used	Article 6 Condition	Article 9 Condition
To register you as a new customer	(a) Identity (b) Contact (c) Health	Article 6(1)(b) - performance of a contract with you (Battersea patients only) Article 6(1)(f) – necessary for legitimate interests (supporting clinicians who use LIPS services)	Article 9(2)(h) - healthcare and social care purposes
Carry out identity and/ or soft credit checks	(a) Identity (b) Contact (c) Financial (d) Profile	Article 6(1)(b) - performance of a contract with you (Battersea patients only) Article 6(1)(f) – necessary for legitimate interests (supporting clinicians who use LIPS services)	Not applicable – no Health Data used
To process and deliver services to you including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us or clinicians we support	(a) Identity (b) Contact (c) Health (d) Financial (e) Transaction (f) Marketing and Communications	Article 6(1)(b) - performance of a contract with you (Battersea patients only) Article 6(1)(f) – necessary for legitimate interests (supporting clinicians who use LIPS services)	Article 9(2)(h) - healthcare and social care purposes
To manage our relationship with you including: (a) Notifying you of changes to our privacy policy (b) Asking you to leave a review or take a survey	(a) Identity (b) Contact (c) Profile (d) Marketing and Communications	Article 6(1)(a) - consent Article 6(1)(b) - performance of a contract with you Article 6(1)(c) - compliance with a legal obligation Article 6(1)(f) - necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)	Not applicable – no Health Data used
To administer and protect our business and this website including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data	(a) Identity (b) Contact (c) Technical	Article 6(1)(f) - necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)	Not applicable – no Health Data used
To deliver relevant content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical	Article 6(1)(a) - consent	Not applicable – no Health Data used
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences	(a) Technical (b) Usage	Article 6(1)(a) - consent	Not applicable – no Health Data used
To make suggestions and recommendations to you about goods or services that may be of interest to you	(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile	Article 6(1)(a) - consent	Not applicable – no Health Data used

6. Where we get your data from

There might be some instances where we receive data about you from other organisations or people such as credit reference agencies, the electoral register, and our verification partners – for purposes such as verifying your identity and confirming the validity of data relating to you.

We may also receive data about you from our partners such as:

other healthcare professionals involved in your care, for example your NHS GP
your insurance company
our payment services provider
our data analytics service providers, advertising networks and search information providers
our debt collection agency

7. Who we share your data with

There may be situations in which a third party will need to access or be given a copy of your personal data. Some examples have been included below:

Healthcare professionals who are Data Controllers in their own right (for example, in order to deliver your care)
Companies within the LIPS group, where this assists the delivery of services to you or a LIPS Healthcare Professional
Suppliers or collaborators (for example, in order to provide bespoke 3D prosthetics, or to support our IT infrastructure)
Regulators, authorities or government bodies (for example, in order to resolve a complaint that has been raised or to conduct professional body safety reviews)
Professional advisers, including external legal advisors, insurance companies and medical experts (for example, in order to resolve a legal claim or dispute, to provide pre and/or post procedure reviews)
Third parties for the purposes of debt collection
Third party payment processor companies. For the avoidance of doubt, LIPS Healthcare will not store any of your payment card details
Delivery companies for the purposes of transportation
Third parties for health, wellbeing & patient safety analysis
Third party service providers for the purposes of storage of information and confidential destruction of information.
Third party service providers for the purpose of administrative and back-office functions.

Where a third party Data Processor is used, we ensure that, in addition to their obligations under data protection laws, they operate under contractual restrictions which aim to safeguard the confidentiality and security of your information.

8. Where in the world your data is physically sitting

We may need to transfer your information to other LIPS Healthcare Group companies or service providers in countries outside the United Kingdom and European Economic Area (EEA). The EEA consists of countries in the European Union, Switzerland, Iceland, Liechtenstein and Norway: they are considered to have equivalent laws when it comes to data protection and privacy.

Transfers of data outside the UK and EEA may happen if our servers (i.e., where we store data) or our suppliers and service providers are based outside the UK and EEA, or if you use our services and products while visiting countries outside this area. For example, we currently carry out some administrative processing securely from our Cairo, Egypt location. In some cases processing of personal data may also be carried out in the United States of America.

Where we store or share personal data with a third party in a country outside of the UK or EEA, we will put appropriate safeguards in place to protect that data in accordance with the applicable data protection laws and the ICO guidance. These can range from a contract with that third party supplier that includes the ICO International Data Transfer Agreement through to technical measures to protect it while it gets there. If you would like further detail please contact dataprotection@lips.org.uk

We may also need to share your data with a third party in a country outside of the UK if you are a resident of another country and that third party is authorising or providing part of your care. Again, if you would like further detail please contact dataprotection@lips.org.uk

9. How long we keep your data

We only keep your data as long as it is required either by English Law, health regulatory best practice, codes of practice, or our own legitimate business needs in line with our corporate policies.

The length of retention varies per type of record. Some records are only kept short-term, and some kept more long-term if they relate to legal matters or long-term medical conditions. Below are the considerations we use to determine the appropriate retention period:

The purposes for which we process your personal data and whether we can achieve those purposes through other means
The applicable legal, regulatory, tax, accounting or other requirements
The amount, nature, and sensitivity of the personal data
The potential risk of harm from unauthorised use or disclosure of your personal data.

10. How we protect your data

Your data is safeguarded to the level of protection necessary for your data while it is in our management. All information collected is secured against unauthorised access, damage, loss or destruction; whether physical or electronic. Our ISMS (information security management system) is certified to ISO/IEC 27001:2013. Our UK business is also Cyber Essentials Plus certified. We maintain what we believe are appropriate security controls in place to protect personal data. Risk assessment, including assessing risks to the rights and freedoms of data subjects, is at the heart of our ISMS.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your data, we cannot guarantee the security of your data transmitted to our website or by us to your personal email address. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

11. How to Contact Us

If you wish to exercise your data protection rights or have any questions or queries about how we handle your personal data, please contact the relevant privacy team (see section 1 for guidance): London International Patient Services Limited dataprotection@lips.org.uk, +44 (0) 207 164 6114 LIPS Privacy Team, LIPS Healthcare, 5 Devonshire Place, London, W1G 6HL LIPS Battersea Ltd

dataprotection@lips.org.uk Our Data Protection Officer (DPO) is GRCI Law Limited, at dpoaas@grcilaw.com, Unit 3, Clive Court, Bartholemew Way, Cambridgeshire Business Park, Ely CB7 4EA.

For individuals who are based in the EU, we have appointed IT Governance Europe Limited to act as our EU representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any queries in relation to your EU rights or general privacy matters, please email our Representative at eurep@itgovernance.eu

Please ensure to include the relevant company name in any correspondence you send to our representatives.

12. How to complain

You have the right to complain to the Information Commissioner Office (https://www.ico.org.uk), who are responsible for monitoring compliance with UK data protection laws.

If you have a complaint about how we have used your personal data, we ask that you let us know before going to the ICO, so that we have the opportunity to put things right. You can make a complaint by contacting complaints@lips.org.uk

13. Updating this policy

We may update this policy from time to time. This Policy was last updated on September 2024. You may contact us if you wish to review any previous version