Functional Gut Diagnostics (referred to as “We, “Our” or “Us”), are committed to protecting the privacy and security of your personal information in accordance with the Data Protection Act 2018 (DPA 2018) and UK General Data Protection Regulation (UK GDPR).
Why am I being provided with a privacy notice?
We take our responsibilities under DPA 2018 and UK GDPR very seriously, and have therefore developed this notice to inform you of the data we collect, what we do with your information, and what we do to keep it secure, as well as the rights and choices you have over your personal information.
We are joint controllers for the processing of your personal data for Hydrogen and Methane Breath Testing purposes and can each be contacted for further information via the contact us section below.
1. The information we collect and when
If you are a private patient, we may collect your information directly through information forms, over the phone, in person, over email and via the testing kits. If you are an NHS patient, you may receive/provide the relevant information via the NHS, your hospital, or your health practitioner, however we will still collect and process the data ourselves.
We may collect the following information from you:
- Personal contact information (such as name, address, phone number, and emergency contact information).
- Your patient details (e.g., date of birth, FGC ID, GP Practice).
- Special requirements (such as language or communication method).
- The breath samples that you provide as part of the testing.
- Health and medical information (e.g., allergies, symptoms, dietary information, etc).
- Biographical and demographic information.
You are under no statutory or contractual requirement or obligation to provide us with your personal information; however, we will often require elements of the information above in order to conduct the testing/research in an efficient and effective manner.
2. How we use your information
We only process, store or transfer your personal information when we have a lawful basis for doing so. We may use your personal information in the following ways:
|Processing activity||Lawful basis|
|To contact you by email and to have your reports sent via email to yourself and to the referring consultant/secretary||Legitimate Interest: Processing is necessary for the purposes of our legitimate interests (i.e., our business interests), except where such interests are overridden by your interests or fundamental rights and freedoms. We believe we have a legitimate interest to process your data in order to send you our testing kits, carry out the testing, to communicate with you and your doctor regarding the testing and to ensure we process the data securely at all times.|
|To contact you following your enquiry, reply to any questions, suggestions, issues or complaints you have contacted us about|
|To perform and administer clinical testing|
|To meet our high security standards in managing your personal data and our systems|
|To deliver our testing kits|
|To comply with applicable laws, lawful requests and legal process, where appropriate/necessary||Legal Obligation: Processing is necessary for compliance with our legal obligations|
|To comply with regulatory monitoring and reporting obligations, where appropriate/necessary|
|For teaching and/or research purposes||Consent: You have given consent to the processing of your personal data. You are able to remove your consent at any time by contacting us using the details below.|
As well as the lawful bases identified above, when the data we are processing is considered ‘special category data’, such as your health information, we ensure that the processing is necessary for:
- Medical diagnosis, the provision of health or social care or treatment; or
- For reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices; or
- For scientific research purposes.
3. Who we might share your information with
We only share your data with other parties where necessary to achieve our purposes. We may transfer data:
- To the Functional Gut Clinic in their capacity as our partner in their capacity of providing result interpretation on the test report.
- To the NHS, health care professionals, researchers, academics, public health organisations, and publishers to help perform and generate results of the testing or, where you have provided your consent, for teaching and/or research.
- Logistics and delivery companies, in order to facilitate the delivery of testing kits.
- With third party companies or individuals (data processors) to perform services on our behalf. This would include data storage companies, and technology support and services. We have Data Processor Agreements in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it.
4. Your rights over your information
4.1 The right to be informed about our collection and use of personal data
You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal data protection policies and through this privacy notice. These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.
4.2 Right to access your personal information
You have the right to access the personal information that we hold about you in many circumstances, by making a request. This is sometimes termed a ‘Data Subject Access Request’. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within one month from when your identity has been confirmed.
We would ask for proof of identity and sufficient information about your interactions with us that we can locate your personal information.
4.3 Right to rectify your personal information
If any of the personal information we hold about you is inaccurate, incomplete or out of date, you may ask us to correct it.
4.4 Right to object or restrict our processing of your data
You have the right to object to us processing your personal information for particular purposes or have its processing restricted in certain circumstances.
4.5 Right to erasure
You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
For more information about your privacy rights
If you would like to exercise any of your rights or would like more information, please contact us as set out below.
The Information Commissioner’s Office (ICO) regulates data protection and privacy matters in the UK. You can make a complaint to the ICO at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.
5. How long we keep your information for
We will retain your personal information in accordance with Data Protection Legislation and for only as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal or reporting requirements.
Unless otherwise required by law, your data will be stored for as long as necessary after our last contact with you/the testing has been completed/some other identifiable action or period, at which point it will be deleted.
In some circumstances we may anonymise your personal information (so that it can no longer be associated with you), in which case it will no longer constitute personal data under the UK GDPR.
To protect your data, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure your collected data.
We take security measures to protect your information including:
- Limiting access to our buildings to those that we have determined are entitled to be there (by use of passes, key card access and other related technologies).
- Implementing access controls to our information technology.
- We use appropriate procedures and technical security measures (including pseudonymisation, strict encryption, anonymisation and archiving techniques) to safeguard your information across all our computer systems, networks, websites, mobile apps, offices and stores.
7. Contact us
If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this policy, the way your personal information is processed, please contact us:
We have appointed Dr Anthony Hobson as our Data Protection Officer to help us monitor internal compliance, inform and advise on data protection obligations, and act as a point of contact for data subjects and the ICO.
We are registered with the Information Commissioner’s Office (the ICO) with registration number ZA243158