Privacy Policy
1. Who Is Radconsult?
CYA Medical Ltd (trading as Radconsult) takes its data protection and privacy responsibilities
seriously. This notice explains how Radconsult collects and uses personal information in the
course of our business activities in our capacity of data handler for the purposes of applicable
data protection legislation. Please read this notice carefully.
Our contact details are:
188-189 Drury Lane, London, WC2B 5QD
ICO Information Commissioner Office
Please go to https://ico.org.uk/for-organisations/ for more information
We are registered with the UK Information Commissioner’s Office (ICO) under registration
number ZB519962.
Data Protection Officer (DPO)
Radconsult has a Data Protection Officer (DPO) whose role it is to ensure that data protection
is built into our culture and working practices. If you have any questions about the use of your
personal data, you should contact the DPO in the first instance. The contact details of our DPO
are:
Mr Dervish Ibrahim
Mob: 00447947834584
Radconsult’s DPO is registered with the ICO.
2. What Does Radconsult Do?
X-rays, CT imaging and MRI other imaging modalities is taken in hospitals and clinics to help
to diagnose illness and injury. Specialist clinicians, called radiologists, provide services to
those hospitals and clinics by interpreting this imaging to assist treating doctors in working
out the cause of a patient’s injury or illness and the appropriate treatment for it.
Radconsult services operate, broadly, by:
1) Treating clinicians, doctors and other specialists at our client (an NHS Trust hospital or
clinic and/or other hospital or clinic customers on whose behalf we provide services) take an
x-ray and/or other imaging of an injured or ill patient;
2) The x-ray and/or imaging and other data (‘Imaging’) are then provided to us (directly or
indirectly) by our customer;
3) We, with the support of our employee and consultant radiologists, review and interpret
the Imaging using our secure systems, and arrange to generate a report on that Imaging (a
diagnostic report);
4) The diagnostic report on the Imaging is sent back to the client through our secure
systems is then used as part of the care and treatment of the patient.
​
3. Our Responsibilities
Patients
Radconsult as data processor
We process personal information of patients on behalf of our clients when we provide our
services to them (i.e. by providing the diagnosis report to the relevant hospital or clinic). When
we do this, we act as a "data processor" under relevant data protection laws, whilst our
customer will be the relevant "data controller".
​
In order to provide the diagnosis report to our customers, our customers provide us with the
following personal information on patients that we will process on behalf of the customer as
a processor:
​
• Patient Demographics (name, address, Date of Birth Patient ID, NHS Number,
Accession);
• Referral form information - background or clinical history which is deemed
relevant by the referring clinicians; and
• Images – x-rays, CT scans, MRI scans and other kinds of radiographic imaging, in
order to report on them.
​
We will only process patient personal information in order to provide our services to our
customers or where required by law. As controller, our customer is ultimately responsible for
making sure that its patients’ personal data is treated in accordance with applicable data
protection laws. That includes informing patients, in the first instance, how service providers
(like us) collect and use data on their behalf.
​
Radconsult as a Data Controller
In certain instances, Radconsult may process your personal information as a data
controller. We may do so for record-keeping purposes when a legal obligation exists. As
regulated by the Care Quality Commission (CQC), we are obligated to maintain accurate
records of the care and treatment provided. Our clinicians, governed by the GMC, have
professional obligations to uphold in delivering care and treatment.
We may also act as a data controller for record-keeping purposes related to healthcare or
insurance, handling complaints or concerns about our services, defending legal claims, and
conducting clinical audits for insurance and professional regulatory purposes.
If you have concerns or questions about how we handle your personal information within
the context of Radconsult's services, please contact us using the information provided
above. Note that direct contact with us may require disclosing your request to the relevant
customer.
​
Customers and Website Users
We collect your personal data when you use our website, avail our services, or contact us
via post, telephone, or email.
​
Types of Personal Data We Collect
Depending on the purpose, we may collect and use disclosed personal data, including your
name, contact details, marketing preferences, and other relevant information provided
during correspondence. When providing services, we receive details of a treating clinician's
name and contact details. For telephone services, call recordings are collected for recordkeeping,
quality control, audits, monitoring, and medico-legal purposes, adhering to
Radconsult's records management and retention policies.
​
Your use of our websites provides information such as IP address, browser-generated
details, and browsing session data. This information is used to tailor your browsing
experience and for statistical purposes, not for individual identification.
​
If you provide personal information about others or if others provide your information, we
only use it for the specific reason provided. By submitting this information, you confirm your
authorization for us to process it on your behalf in accordance with this Privacy Policy.
​
4. Why We Collect Data (the purpose and legal basis of processing)
Your personal information will be used for the purposes listed in the table below. Radconsult
will only collect, use and share your personal information where we are satisfied that we have
an appropriate legal basis to do this. We have also described the legal bases which we rely
in the table. The legal basis we rely upon will impact which rights you have in relation to your
personal information (see section below for more details):
​
For Service Delivery:
This processing is indispensable to execute the contract between you and us.
Additionally, we believe it aligns with our legitimate interest in providing customers with
requested products and services, integral to our business.
​
To Conduct Business:
This processing is vital for fulfilling the contract between you and us. We view engaging
in business with customers as a legitimate interest crucial to our business, aiding in the
preservation and growth of our operations.
Correspondence Regarding Services:
When a contract exists, this processing is necessary to fulfill the agreement between
you and us. In cases without a contract or if the contract involves your employer, this
processing is essential for our legitimate interests. We consider conducting business
with customers as a legitimate interest, pivotal to preserving and expanding our
business operations.
​
Invoicing Customers:
This processing is necessary for our legitimate interests. We believe it is in our
legitimate interest to ensure all customers receive an optimal experience, contributing
to the preservation and growth of our business. Understanding customer needs is
crucial for an excellent customer experience.
​
Record Keeping:
This processing is essential to comply with legal obligations, particularly under the
regulation of the Care Quality Commission. In the absence of a legal obligation, we
view processing personal information as a legitimate interest, ensuring the safety and
quality of services we provide.
​
Website Use Monitoring:
This processing is vital for our legitimate interests. We believe it is in our legitimate
interest to continually improve our services, contributing to the preservation and growth
of our business.
​
IT Environment Monitoring:
This processing is necessary for our legitimate interests. We consider it a legitimate
interest to continually enhance our services, contributing to the preservation and
growth of our business, and ensuring the provision of relevant information.
Employee Training:​
This processing is vital for our legitimate interests. We believe it aligns with our
legitimate interest in ongoing service improvement, preserving and growing our
business, and enhancing the security of our website.
​
Compliance with Legal and Regulatory Requirements:
Our use of your personal information is necessary to adhere to relevant legal or
regulatory obligations.
​
Marketing and Identifying Goods and Services:
This processing is necessary for our legitimate interests. We consider it a legitimate
interest to keep customers informed about our products and services, supporting the
preservation and growth of our business. Consent will be obtained where required by
law, and we respect your preferences if you choose not to receive such
communications.
​
5. Sharing Personal Information
We handle all data with confidentiality, sharing information as described below:
​
- Our staff and radiologists
- Clinicians and staff at the client (e.g., hospital or clinic) commissioning our services
i. Third parties aiding our business, completing annual security questionnaires and
undergoing annual risk assessments
​
ii. Regulators to comply with laws, regulations, and requests from law enforcement and
governmental agencies
​
iii. Individuals involved in legal proceedings to establish, exercise, or defend our legal rights
​
iv. Non-personal, aggregate statistical information about website visitors, traffic patterns,
and usage with partners, affiliates, or advertisers
​
v. In the event of selling or transferring our business or assets to a third party, disclosing
information to potential or actual purchasers.
​
6. Automated Decision Making
We do not employ automated decision-making, but some website tools may be supported
by electronic systems.
​
7. Data Retention
We strive to keep personal information current, deleting irrelevant or excessive data within
30 days. While some data may be retained for legal and business reasons, we generally
keep personal information for the relationship period plus the statutory limitation period. For
clinical images, we use a waterfall system, storing images for approximately 4 weeks and
maintaining other study-related information per legal requirements. Once reported, images
are stored in restricted cold storage and accessed for medical legal reasons, adhering to
NHS retention policies or contractual agreements. We apply a records retention policy,
securely deleting or storing personal information no longer needed by Radconsult.
​
8. How Do We Keep Your Data Safe And Secure?
Radconsult are committed to protecting the security of the personal information you share
with us. In support of this commitment, we have implemented appropriate technical, logical,
physical and organisational measures to ensure a level of security appropriate to the risk. For
example, amongst other measures, we maintain a security policy and store all of your
personal information on secure servers. All patient personal information is transferred
securely via encrypted channels. The log-off process is enforced via Radconsult policy.
Radconsult’s systems undergo regular independent penetration testing. Data is stored in
secure cloud data centres, which have strict access controls in place. All our staff work under
strict contractual obligations of confidentiality, and receive training on data protection matters.
Our clinicians and radiologists are subject to professional regulatory standards which include
confidentiality matters.
​
Please note that we are not in any way responsible for the security or content of, and this
privacy notice does not cover the processing of your personal information by any third- party
services used in conjunction with our services. It also does not cover the use of services for
which we are acting as Processor: in these cases the relevant controller should provide you
with an additional notice.
​
9. Your Privacy Rights
Subject to specific exemptions and the nature of our data processing activities, you possess
certain rights concerning your personal information. For access requests, additional identity
verification may be required, and fees may apply where permitted by law. Contact us at
info@radconsult.co.uk to exercise your rights, and we'll make reasonable efforts to
promptly fulfil your request, informing you of any additional information needed. However,
we may not always fully address your request if it impacts confidentiality duties or is legally
required to be handled differently.
​
Right to Access
You can request a copy of your personal information, including its source, processing
purposes, data controller's identity, and entities to whom it may be transferred.
​
Right to Rectify or Erase
Request corrections to inaccurate personal information or its erasure in specific
circumstances. Exceptions apply for legal obligations or the establishment, exercise, or
defense of legal claims.
​
Right to Restrict Processing
You can request a restriction on processing for contested accuracy, unlawful processing, no
longer needed purposes, or pending verification of overriding grounds after objecting.
​
Right to Data Portability
Ask for your personal information in a machine-readable format or direct transfer to another
data controller, based on consent or contract performance.
​
Right to Withdraw Consent
Withdraw consent for future processing, without affecting prior lawful processing based on
consent.
​
Right to Object
Object to processing based on legitimate interests at any time, with an opportunity for us to
demonstrate compelling legitimate interests.
​
Right to Object to Direct Marketing
Object to personal data processing for direct marketing, requesting changes in contact
methods or restricting transfers to unaffiliated third parties.
​
Right to Lodge a Complaint
Lodge a complaint with your local supervisory authority, such as the UK Information
Commissioner (www.ico.org.uk), after attempting to resolve issues with us.
​
For questions, concerns, or complaints, contact us first. We aim to investigate and resolve
promptly, honoring your rights within data protection laws' timescales.
​
10. Procedure Validity
This policy undergoes annual review by Radconsult's Information Governance Lead, Mr Dervish Ibrahim.