1. Accessibility

If you require this privacy notice in a different format, an alternative language, or you need any help reading this document, please get in touch with our governance department by emailing informationgovernance@vhg.co.uk.

2. Introduction

As a leading healthcare provider for physical and mental health solutions in the United Kingdom, we at Vita Health Group Limited (“VHG“) are committed to safeguarding the privacy and fundamental rights of those who use our website.

We are registered with the Information Commissioner’s Officer (“ICO“) under registration number Z119838X.

This Privacy Notice (this “Notice“) covers how VHG collects, uses, discloses, transfers and stores your personal data when interacting with us through use of Spire/Vita Mental Health Portal.

This Notice is kept under regular review and updated from time to time to ensure it remains accurate. It was last updated on 5 August 2024.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

3. Identity of the data controller and scope of this notice

VHG has a number of group companies including:

• Physio for All Limited
• Pennine MSK Partnership Limited
• Crystal Palace Physio Holdings Limited
• Vita Health Solutions Limited
• Physiotherapy Specialists Limited
• Vita Health Wellness Limited
• Physiotherapy2Fit Limited
• The Abbey Clinic Limited
• The Bisham Abbey Knee Clinic Ltd

This Notice applies to the group companies listed above. Under data protection laws, the ‘controller’ is the organisation responsible for ensuring that your personal data is used lawfully and appropriately. For the purposes of data protection laws, the parent company, VHG, acts as the controller and is responsible for your personal data.

Through Spire/Vita Mental Health Portal, we provide users with access to mental health services.  We provide remote cognitive behavioural therapy sessions by telephone and video platform. These sessions will not be recorded as standard however if there is a need to record any sessions for the purpose of training or supervision this will be done by prior agreement with the service user and consent can be withdrawn at any time.

This Notice serves as the basis to enable transparent communication between us and you, as data subjects. It sets out and explains how and why we collect, process and securely store any of your personal data submitted to us through use of Spire/Vita Mental Health Portal as well as the rights you have over your personal data, with whom we may share your personal data and how to contact us about your personal data we process should the need arise.

If you have any further questions about the scope of this Notice, please contact the Data Protection Officer (“DPO“), whose details are listed in the relevant section below.

4. Collection, processing and retention of personal data

What personal data do we collect?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the unique identifiers relating to you have been removed (anonymous data).

When you use Spire/Vita Mental Health Portal, we collect personal data both directly from you and via third parties whom you instruct to act on your behalf through forms on our site, including the following:

• Identity data includes full name, date of birth and gender.
• Contact data includes postal address including postcode, email address and telephone number.
• Financial data includes bank account and payment card details.
• Transaction data includes details about payments to and from you and other details of products and services you have purchased from us.
• Technical data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our site.
• Profile data includes user names.
• Usage data includes information about how you use our site, products and services.
• Marketing and communications data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Notice.

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you to provide you with Spire/Vita Mental Health Portal. In this case, we may have to cancel your access to Spire/Vita Mental Health Portal, but we will notify you if this is the case at the time.

How is your personal data collected?

We use different methods to collect data from and about you including through:

• Direct interactions. You may give us your identity or contact data by filling in forms or by corresponding with us online, via our website, by post, phone, email or otherwise. This includes, for example, creating an account on our site and attending cognitive behavioural therapy appointments.
• Automatic technologies and interactions. As you interact with our site, we will automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other sites employing our cookies. Please see section further below in relation to cookies.
• Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out below:

Technical data from the following parties:

(a) analytics providers such as Google based outside the UK;
(b) advertising networks such as Google based outside the UK; and
(c) search information providers such as Google based outside the UK.

How do we use your personal data?

In order to use your personal data, we must do so ‘lawfully’. This means we must satisfy what is known as a ‘lawful basis’ under data protection laws.

Below are the lawful bases we rely upon:

• Consent.  In cases where you have offered specific consent to do so for a certain processing operation, we will process your personal data.
• Contractual Necessity. We need to process your personal data pursuant to a contract you have entered into, or have taken steps to enter into.
• Legal Obligation. We need to process your personal data in order to comply with our overriding legal and regulatory commitments.
• Legitimate Interest. We process your personal data when we have a legitimate interest to do so. When processing on the basis of legitimate interest, we only do so if the processing does not adversely affect your fundamental rights and freedoms as a data subject. For more information please contact our DPO using the details included below.

We have set out below a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose 1: To set you up as a patient on our system
We have to carry out checks for you to become a patient. We cannot perform these checks without using your personal data.

Legal bases for using your personal data
Contract: to take steps so that you can enter into a contract with us for the delivery of your care, and/or in connection with a contract for a healthcare professional to carry out assessment and treatment

Additional legal bases for using your special category personal data

Provision of health or social care; provision of services pursuant to contact with a health professional

Purpose 2: To provide your care and related services
Clearly, the reason you come to us is to receive care, and so we have to use your personal data for that.

Legal bases for using your personal data
Contract:

• to provide your care and related services; and
• to fulfil our contract with you for the delivery of your care.

Additional legal bases for using your special category personal data
Health or social care: to provide your care; and
Vital interests: to protect your vital interests where you are physically or legally incapable of giving consent, for example in an emergency if you are incapacitated.

Purpose 3: Investigating and responding to concerns, complaints, or claims. Complying with our legal or regulatory obligations and defending or exercising our legal rights:

From time-to-time service users may raise queries or complaints and we take those communications very seriously. We will need to use your personal data to resolve such matters fully and properly.

We are subject to a wide range of legal and regulatory responsibilities which we cannot list fully here, and we may be required by law or by regulators to provide personal data.

We may also have to consider and/or discuss with appropriate third parties your care in the context of concerns over a healthcare professional’s performance or clinical competence.

If we and our healthcare professionals are the subject of legal actions or complaints, then we need to access your personal data to fully investigate and respond to those actions.

Legal bases for using your personal data:

Contract: to provide your care and other related services
Legal obligation: to comply with our legal or regulatory obligations
Legitimate interests: for our legitimate interests in ensuring that you, and others, receive safe care and treatment. To ensure queries and complaints are answered, which does not overly prejudice you.

Additional legal bases for using your special category personal data:
Health or social care: to provide your care

Legal claims: to establish, exercise or defend our legal claims.

Purpose 4: Settling your account:

We will use your personal data to ensure that your account and billing is fully accurate and up-to-date and to enable us to collect payment via the payment portal.

Legal basis for using your personal data:

Contract: to provide your care and other related services.

Legitimate interests: for our legitimate business interest to ensure that we are paid for providing your care which does not overly prejudice you.

Additional legal bases for using your special category personal data:

Health or social care: to provide your care

Legal claims: establish, exercise, or defend our legal claims

Purpose 5: Liaising with other Healthcare professionals about your care and sharing with other external agencies where required (such as Safeguarding or Law enforcement):

We may need to share your personal data with the individuals that you ask us to update about your care.

Also, other healthcare professionals or organisations may need to know about your care for them to provide you with safe and effective healthcare services, and so we may need to share your personal data with them.

We may, on occasion, need to share your personal data with external agencies to fulfil a legal or regulatory or obligation, such as Safeguarding agencies or law enforcement services.

Legal bases for using your personal data:
Contract: to provide your care and other related services

Legitimate interests: for our legitimate business interest in ensuring that other healthcare professionals who are routinely involved in your healthcare services have a full picture of these services.

Additional legal bases for using your special category personal data:
Health or social care: to provide your care
Substantial public interest: for reasons of substantial public interest; and
Legal claims: to establish, exercise or defend our legal claims.

Purpose 6: For internal clinical audit, National Clinical Audit, medical research purposes, and product testing and improvement

Internal clinical audit
There may be a clinical audit of health records, including clinical information, carried out by us to assess care standards and identify any improvements we could make, or as required by law.

Legal bases for using your personal data
Legal obligation: to comply with our legal or regulatory obligations.

OR

Legitimate interests: for our legitimate business interest in making improvements and we have put appropriate safeguards in place to protect your privacy so that this use does not overly prejudice you.

Additional legal bases for using your special category personal data
Substantial public interest: for reasons of substantial public interest; and
Health or social care: for the management of health or social care systems and services.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Special categories of personal data

We process special categories of personal data in accordance with Article 9 of the UK General Data Protection Regulations, when we provide mental health services to you. ‘Special categories of personal data’ are a more sensitive form of personal data according to data protection laws and attract additional protection. We must satisfy an additional lawful basis to use any personal data which. Special category data includes personal data revealing:

• racial or ethnic origin;
• religious or philosophical beliefs;
• genetic data;
• data concerning health; or
• data concerning a natural person’s sex life or sexual orientation.

When you seek mental health services from us using Spire/Vita Mental Health Portal, you are asked to share data linked to your mental health. You do this primarily by

When using Spire/Vita Mental Health Portal, we will process special categories of personal data, such as data linked to your mental health when responding to our screening questions and information about your health during your cognitive behavioural therapy appointment(s). We generally do so on the basis that it is necessary for us to use your data in this way to fulfil our contract with you to provide you with mental health services.  In exceptional circumstances, we may be required to use your information in order to protect your vital interests or those of another person, for example. Such incidents are very rare.

Who do we share your personal data with?

We may share your personal data with the following so we can work together for your benefit, if they have a genuine need for it or we have your consent:

• general practitioners, therapists or psychiatrists where you ask us to arrange a referral;
• private insurers that are involved in your receipt of Spire/Vita Mental Health Portal;
• your employer;
• service providers (acting under our specific instructions as processors) who provide IT and system administration services;
• professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services; and
• HM Revenue & Customs, regulators and other authorities who require reporting of processing activities in certain circumstances.

We may also share your personal data with third parties when you have either consented for us to do so, or we are under a legal or regulatory duty to do so.

We may share your personal data within our group of companies, including holding companies, subsidiaries and subsidiaries of holding companies insofar as reasonably necessary for the purposes set out in this Notice.

If we sell part of our business, then we will need to share your data with the new owner. The transfer of data (this could include your personal data – name, address, contact details, etc.) will be managed in secure manner, and minimises the disruption to you and to ensure that VHG, and the new owner, are able to fully comply with our legal obligations.

If we share your personal data, we will make sure appropriate protection is in place to protect it in line with data protection laws.

For how long do we hold your personal data?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances you can ask us to delete your data: see rights of data subjects below for further information. In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for ongoing use, in which case we may use this information indefinitely without further notice to you.

If you require further information about the retention of any of your personal data, please contact our DPO, whose contact details are listed below.

5. Cookies and our site

Spire/Vita Mental Health Portal uses Cookie technology to provide increased functionality and enhance the user experience. Cookies are small text files stored by your internet browser at the request of our site. You may voluntary opt-in to various, non-essential cookies.

Please refer to our specific Cookie Notice for more information on how the Cookies on our site are utilised: https://www.vitahealthgroup.co.uk/our-policies-and-procedures/cookie-policy/

6. International transfer of personal data

We may transfer your personal data to countries outside the European Economic Area (EEA) for the purposes set out in this Notice. When making such an international transfer we ensure the that the adequate protection and appropriate safeguards are in place to securely protect your personal data. If we intend to transfer your personal data outside the EEA, we will contact you for your consent to do so.

If you would like any further information about how we transfer personal data outside of the EEA, please contact our DPO whose details are below.

7. How do we protect your personal data?

We are committed to looking after your personal data and have implemented appropriate physical, technical, and organisational security measures designed to protect against accidental loss and unauthorised access, use, alteration, or disclosure. In doing so, we comply with data protection laws.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know it. They will only use your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. Rights of data subjects

You have certain rights in relation to your personal data that we hold about you. These include rights to know what personal data we hold about you and how it is used. We will use and hold your personal data in accordance with our obligations and these rights.

You may ask to exercise these rights at any time by contacting our DPO. You will not usually be charged for exercising your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

These rights do not always apply in all cases, and we will let you know how we will be able to meet your request. If we cannot meet your request, we will explain why.

Please see below for the rights available.

Right to access your personal data

You have the right to request details and a copy of the personal data we hold about you and details about how we use it. We must confirm whether we have personal data about you, and we also need to provide you with a copy of your personal data.

We will usually provide you with your personal data in writing, unless you request otherwise. If you have made the request electronically (e.g. by email) the personal data will be provided to you electronically where possible.

In some cases we may not be able to fully comply with your request, for example if your request involves another person’s personal data and it would not be fair to that person to provide it to you.

Right to rectification

You have the right to have inaccurate personal data about you corrected or removed.

Right to erasure (“right to be forgotten”)

You have the right to request that we delete certain personal data we hold about you. However, there are exceptions to this right. For example, we can refuse to delete your personal data if we need to keep for tasks which are in the public interest, or for establishing, exercising or defending legal claims.

Right to restrict processing

You have the right to ask us to restrict our use your personal data. We do not have to comply with all requests to restrict our use of your personal data. For example, if we need to use it for tasks which are in the public interest or for establishing, exercising or defending legal claims.

Right to data portability

You have the right to ask us to transfer your personal data to you or to someone else in a format that can be read by computer.

Right to object to marketing

You have the right to ask us to stop sending you marketing messages at any time and we must comply with your request.

The right to withdraw consent

You have the right to withdraw any consent you have given us to use your personal data.

The right to object to other uses of your personal data

You have the right to object to us using your personal data in a particular way (such as sharing it with third parties), and we must stop using it in that way unless specific exceptions apply. This includes, for example, if it is necessary to defend a legal claim brought against us, or it is otherwise necessary for the purposes of your ongoing healthcare services.

Right not to be subject to automatic decisions

You have the right to not be subject to automatic decisions (ie decisions that are made about you by computer without any human input) in relation to your care or other processes that have a legal or similarly significant effect on you. We will not use automated decision-making in relation to your care or other processes that would have legal or similarly significant effects.

Making a request

You may request to exercise any of the rights outlined above by contacting dataprotection@vhg.co.uk. Making a request is free of charge, however in cases where it is deemed that such a request is clearly unfounded, repetitive or excessive, we reserve the right to charge a reasonable fee. You will be informed of any fee before we fulfil your request giving you the chance to decide whether you want to proceed further with the request.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We endeavour to respond to any of these requests within the period of one calendar month, however in cases where numerous or complex requests are made, this time period may be extended. In this case we will notify you and keep you updated.

9. Marketing

From time-to-time, we may use your personal data to communicate marketing offers to you by post, by email, by telephone or via our social media channels. We will only undertake marketing activities in instances where you have either given us permission, or when we are pursuing a legitimate interest to do so.

If you no longer wish to receive marketing communication from us, you may click on the ‘unsubscribe’ link included with email communications. Alternatively, you may contact us using the details below to specifically request this.

You have the right to object to any direct marketing communications sent to you. If you wish to exercise this right to object, please see the relevant section about your data protection rights.

10. External websites

We may from time to time include on our sites links to and from the sites of other organisations. If you follow a link to any of these sites, please note that these sites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies and notices before you submit any personal data to these sites.

11. Data protection officer (DPO) and contact

As VHG engage with the NHS and other public bodies on a regular basis to provide various services which involve the processing of personal data a Data Protection Officer (DPO) has been appointed. The DPO in in charge of addressing and managing data protection matters concerning your personal data within VHG.

The DPO is embedded within VHG to ensure continued compliance with any relevant data protection legislation. If you wish to contact the DPO directly, please send an email to dataprotection@vhg.co.uk.

Alternatively, The DPO is also available for contact at the following postal address:

Vita Health Group
Data Protection Officer
3 Dorset Rise
London
EC4Y 8EN

12. Complaints

If you wish to raise or discuss a complaint about how your personal data has been handled by us, please contact the Compliance Officer at complaints@vhg.co.uk who will be happy to assist you.

You have the right to make a complaint at any time to the ICO, the UK regulator for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

The ICO’s contact details are set out below.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk