It is the policy of Pura Diagnostics Ltd (PDX) supported by its board of directors, to take steps to ensure that your information is kept confidential and secure and to otherwise protect and respect your privacy. PDX will only ever collect and process the minimum amount of information required in order to provide our pathology services. As well as the steps set out in this policy, PDX is working towards accreditation to the international standard for Information Security Management Systems set out in ISO/ISE 27001.

This is a high level privacy notice describing the information that PDX processes, the purpose of that processing, and how we protect it. For more detailed information including the lawful basis for processing please read our Privacy Notice.


Who is the data controller?

PDX provides independent laboratory diagnostic services to the UK private sector.

This policy together with your terms and conditions sets out the basis on which any information PDX collects from you, or that you provide to PDX, will be processed by PDX. Please read the following carefully to understand our views and practices regarding your information and how we will treat it.


PDX as a data controller and/or processor

In providing products and services, PDX may be acting as a data processor on behalf of a third parties (such as clinicians, hospitals and/or insurers) who will themselves be the data controllers, or as a data controller (if for example you are an employee). Where acting as a data controller, PDX will comply in full with this policy. Where acting as a data processor, PDX will be required to act on the instructions of the data controller


Information PDX may collect from or about you

Typically the information about data subjects that is processed by PDX comes from clinicians that you visit for healthcare purposes, but it may also be collected via email, over the phone or any other means of communication. They send us personal information in addition to pathology samples (body fluids or tissues) and request tests are carried out upon those samples.

The information provided to PDX may include:

  • your name, date of birth, gender, address, e-mail address and in some cases phone number and card payment details, and medical history;
  • practice details of the requesting clinician such as address, specialities and secretary information;
  • information that is necessary to process invoices including patient demographics, financial, bank and credit card information, medical and insurer specific information such as insurer name and policy/identification details;

You may also give PDX information by accessing or filling in forms on its websites at: www.puradx.com (‘PDX sites’) or by corresponding with PDX via its products and services, by phone, e-mail or otherwise. This includes information you provide when you register to use PDX or participate in communications or discussions on other social media platforms.


Uses of the information you provide

PDX will use this information:

To carry out PDX’s obligations arising from any contracts entered into between your clinician and PDX and to provide them with the information, products and services request from PDX such as:

  • the provision of pathology services, and associated processing of bills for payment;
  • providing test requesting and results delivery management tools
  • to process invoices on behalf of various parties, such as clinicians, hospitals and insurers;
  • for process management and improvement;
  • to notify you or your clinician about changes to PDX’s products and services and to otherwise manage PDX’s communications with you; and/or;
  • to ensure that content from the PDX’s site is presented in the most effective manner for you and for your computer.

Disclosure of your information

PDX may share your information with selected third parties including:

  • any member of its group, which means its subsidiaries, ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006;
  • business partners, referral laboratories, suppliers, insurers, logistics companies, debt management agencies, and sub-contractors required for the performance of any contract PDX enter into with them, you or your clinician;
  • for the purpose of investigating any potential legal claims against PDX, your information may be shared with our insurers in order to obtain insurance advice and services
  • National screening or public health monitoring schemes such as Public Health England;
  • Information about your interactions with our websites may be shared with organisations that assist PDX in the improvement and optimisation of websites.

When PDX shares such information, it will ensure that it is only sharing as much information as is required to fulfil the purpose for which it is sharing it.

PDX may also disclose your information to third parties if PDX is under a duty to disclose or share your information in order to comply with any legal obligation, or in order to enforce or apply PDX terms and conditions and other agreements; or to protect the rights, property, or safety of PDX, its customers, employees, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.


Where we store your information

Unless specific consent is sought and received, or another of the conditions for transferring data outside the EEA under GDPR satisfied (such as the inclusion of EU model contractual clauses in our contract with the supplier/ third party, the need to refer samples to specialist providers) we will not transfer your information outside of the EEA. The policy of your Data Controller, which could be your hospital, clinician, insurer etc… may be different to this so you should check carefully the relevant privacy policies in order to fully understand their implications.


Your rights

Under the General Data Protection Regulation you are given certain rights to control aspects of the processing of your information. You can exercise these rights at any time by contacting PDX via the methods set out in the Contact section here.

You also have the right to lodge a complaint with the information Commissioners Office (ICO) if you feel that we have not complied with GDPR requirements regarding your personal data.  They can be contacted on 0303 123 1113.  More information is available here: https://ico.org.uk/concerns/.


Contact

Questions, comments and requests regarding this privacy policy are welcomed and should be made to the Data Protection Officer:

Phone: +44330 223 4922
E-Mail: [email protected]


Consent

Under GDPR, the current methods of requesting consent to collect and process your data have been reviewed.  In certain situations, consent is not required (for example, if there is a legal obligation). However, for most scenarios, data will not be collected or processed without your explicit consent. We always ask for your explicit consent when processing personal data that we have received through our website.


Data security breaches

As outlined above, PDX takes management of your personal data seriously and takes all reasonable steps to appropriately secure your data.  In the event that a data security breach occurs, you will be notified without undue delay (either directly or via your service provider) and information will be provided regarding the nature or the breach and action being taken.

Concurrently to this, PDX will notify relevant parties such as the ICO and/or law enforcement agencies to ensure appropriate action is taken.


Review

This policy may be updated as required to ensure its compliance with data protection legislation and to exercise best practice. We recommend regular review of this policy to ensure you are happy and in agreement with our policy and associated practices.