Privacy Notice

Privacy Notice for UKAT Group Limited (company number: 15749960)
This Privacy Notice is effective from 20th December 2024

Welcome to UKAT’s Privacy Notice.

We respect your privacy and are committed to protecting your personal data. This Privacy Notice describes how we look after your personal data and tells you about your privacy rights and how the law protects you. Please read this notice carefully.

This website and our services are not intended for, and we do not knowingly collect data relating to, individuals under the age of 16.

This Privacy Notice covers:

Who we are
How we collect your personal data
Types of Personal Data we collect about you
How and why we use your personal data
Marketing
Data Security
Retention of Data
Sharing of data
International Sharing of Data
Your rights
Contact Us
Complaints
Changes to this Privacy Notice

Who we are

UKAT Group Limited (company number 15749960) of registered address Unit 1 Imperial Place, Maxwell Road, Borehamwood, United Kingdom, WD6 1JN is the controller and responsible for this website. When we mention “UKAT”, “we”, “us”, or “our” in this privacy notice, we are referring to this entity.

The UKAT Group (the “Group”) is made up a number of different legal entities, details of which can be found in full here. UKAT and its affiliates in the Group may share personal information with each other but for the purposes of the services we provide you, the controller for your personal data will always be UKAT and any processing will be used in accordance with this Privacy Notice.

How we collect your personal data

You may be asked to provide your personal information anytime you are in contact with UKAT. You are not required to provide the personal information that we may request, but, if you chose not to do so, we may not be able to provide you with our services or respond to any queries you may have.

UKAT will collect information from you in various ways, including when you:

contact us by any means with queries, complaints or ask a question about mental health and addiction treatment.
take part in an event.
register with us for treatment or rehabilitation.
ask a question about mental health and addiction treatment.
voluntarily complete our surveys or provide us with feedback.
visit our website (website usage information is collected using cookies – see below).
engage with us on social media.
book an appointment with us or attend an event/programme that we are running.
have given a third party permission to share with us the information they hold about you.

In the event that our services are commissioned for you by third parties such as your GP, local authorities, clinical commissioning groups, or private medical insurers, they will provide us with information about you such as your name, postal address, telephone number, email address, and medical/educational history.

Types of Personal Data we collect about you

Personal data means any information about an individual from which that person can be identified. We might collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data including names, previous names, nationality, marital status, date of birth, social media usernames and identifiers, and names used on NHS websites.
Identity Document Data used to verify identity, including passport documentation, national insurance number and nationality.
Contact Data includes postal and billing address, e-mail address and telephone numbers.
Financial Data includes bank account and payment card details.
Transaction Data includes details about payments to and from you and other details of services you have purchased from us.
Health Data mean information about your physical and mental health and medical records. This is a form of Special Category Data.
Profile Data includes your interests, preferences, feedback and survey responses, records and recordings of telephone calls made with us, and records and transcripts of conversations.
Usage Data includes information about how you interact with and use our website and services, online identifiers, information gathered by the use of cookies in your web browser, and your internet protocol (IP) address. For more information about our use of cookies, please see our Cookie Notice, which is available on our website.
Marketing and Communications Data include your preferences in receiving marketing from us and third parties and your communication preferences.
Location Data includes your length of stay in one of our clinics.
Image Data includes CCTV recordings when you visit our centers.

In the course of providing care and services to patients, we may also collect, store and use other Special Category Data, which includes data about racial or ethnic origin, religious or philosophical beliefs, and Health Data.

How and why we use your personal data

Lawful basis for processing

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data under the following lawful grounds:

Where you have provided us with your explicit consent to the processing of your personal data for one or more specific purposes.
It is necessary for the purposes of our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
It is necessary for the performance of a contract with us.
It is necessary to protect the vital interest of you or other persons, such as your health and wellbeing.

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.

Note that we may process your personal data on more than one lawful ground depending on the specific purpose for which we are using your data. Please do contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity	Type of data	Lawful basis for processing (including basis of legitimate interest)
To respond to your queries on mental health and addiction treatment	Identity data Contact data Profile data Health data	Necessary for our legitimate interests (to manage and answer requests, queries, and complaints)
Provide updates to care and/or treatment of a patient to next of kin.	Special Category data Contact data Identity data	Consent
Provide you with further information for our work, services, activities or products	Marketing & Communications data Contact data Profile data	Necessary for our legitimate interests (keeping you informed about our services)
Auditing, data analysis, and research to improve our services and our communications with you	Profile data Usage data	Necessary for our legitimate interests (improvement of our services)
To manage and respond to your requests, queries and complaints about our services	Identity Contact Profile	Necessary for our legitimate interests (managing your requests, queries, and complaints and sending communications to you in relation to them).
Monitoring of telephone and e-mail communications between you and our staff	Contact data Special Category data Profile data	Necessary for our legitimate interests (training, quality control, and improving service standards). Legal obligation (auditing & compliance)
Provide our core medical services and therapeutic programme.	Identity data Health data Special Category data Contact data	Contract Consent Necessary for our legitimate interests (Operational management)
Booking management for beds in our clinics.	Identity data Contact data Profile data	Contract Necessary for our legitimate interests (Operational management)
To measure your experience following receipt of our services	Identity data Contact data Profile Data Transaction Data	Necessary for our legitimate interests (improvement of our services)
Security of our premises.	Identity data Image data	Necessary for our legitimate interests (security & crime prevention)
Managing website traffic and user behaviour data	Usage data Technical data	Necessary for our legitimate interests (website performance and user engagement)
Patient data management in our CRM system	Identity data Contact data Profile data Transaction data Health data	Necessary for our legitimate interests (client relationship management).
Processing payments for treatment	Financial data Contact data	Contract

How we use Special Category Data

We may process Special Category data in the provision of our services, primarily on the lawful grounds of consent. However, there may be certain circumstances where we need to process special category data without your consent, on the grounds of vital interests or the legitimate interests of either ourselves of a third party.

Where we cannot or it would be inappropriate to obtain your explicit consent, we may rely on the following conditions for processing, namely:

Where essential to protect a life.
For the provision of health or social care services.
Preventing or detecting unlawful acts.

Marketing

You will receive marketing communications from us if you have requested information from us or accepted services from us, and you have not opted out of receiving the marketing.

We may also analyse your Identity, Contact, Technical, Usage and Profile Data to form a view which products, services and offers may be of interest to you so that we can then send you relevant marketing communications.

We will get your express consent before we share your personal data with any third party for their own direct marketing purposes.

You can ask to stop sending you marketing communications at any time by following the opt-out links within any marketing communication sent to you or by contacting us via the contact details below.

If you opt out of receiving marketing communications, you will still receive service-related communications that are essential for administrative or provision of service purposes.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Retention of Data

We are legally required to hold certain information about you for a set period of time. The length of time we keep your information for these purposes will vary depending on the obligations we need to meet. All personal information will be deleted or securely destroyed at the appropriate time and we will not keep your personal information for longer than is required or permitted by law.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process your personal data and whether we can achieve those purposes with other means, and the applicable legal, regulatory, tax, accounting or other requirements. Typically, this will be up to twenty years in line with NHS guidelines for health and social care providers but this may change in accordance with our criteria.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Sharing of data

We may share your personal data where necessary internally with UKAT’s affiliates in the Group for the purposes set out in the table above.

We may also share your personal data with third parties as described below, including providers outside of the UK/EEA:

Service providers acting as processors based in the United States who provide electronic medical care record systems for clients.
Service providers acting as processors based in the United Kingdom who provide bed booking systems, including management of bed availability, client names, and booking details.
Service providers acting as processors based in the United Kingdom who provide room and bed booking systems for clinics.
Service providers acting as processors based in the United Kingdom, Ireland, and the United States who provide IT, communication and system administration services.
Service providers acting as processors based in the United States who provide platforms for exit surveys, enquiries and feedback from clients.
Service providers acting as processors based in the United States who provide client care and interaction systems for client management.
Service providers acting as processors based in the United Kingdom who provide payment systems for transaction processing.
Service providers acting as processors based in the United Kingdom who provide security solutions including CCTV at our centres.

In addition, personal information of individual service users may be shared with their relevant sponsoring third parties acting as independent controllers to decide for the funding and/or payment of services received.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

UKAT will not share your personal information with any third party that intends to use it for direct marketing unless we have received your specific consent to do so.

International Sharing of Data

We may transfer your personal data to service providers that carry out certain functions on our behalf. This may involve transferring personal data outside the UK to countries which have laws that do not provide the same level of data protection as the UK law.

Whenever we transfer your personal data out of the UK to service providers, we ensure a similar degree of protection is afforded to it by ensuring that the following safeguards are in place:

We will only transfer your personal data to countries that have been deemed by the UK to provide an adequate level of protection for personal data, such as countries in the European Eocnomic Area (“EEA”); or
We may use specific standard contractual terms for use in the UK which give the transferred personal data the same protection as it has in the UK. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Your rights

You have a number of rights in relation to how UKAT uses your personal data under UK data protection law. You have the right to:

Request access to your personal data (commonly known as a “subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request the erasure of your personal data held by UKAT. Please note UKAT may be compelled to maintain your information due to specific legal or regulatory requirements which will be notified to you, if applicable, at the time of your request.
Withdraw consent at any time where we are relying on consent to process your personal data (see the table above for details of when we rely on your consent as the legal basis for using your data). However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
Object at any time to the processing of your personal data for direct marketing purposes. We will ask you when we collect your personal data if we can use your data for such purposes or if we can disclose your information to any third party for such purposes. You can opt-out of receiving such marketing at any time.
Ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred.

Contact Us

If you have any questions about this Privacy Notice or the use of your personal data, including any requests to exercise your legal rights, please contact us in the following ways:

By Email : dataprotection@ukat.co.uk

Write to us at:

Data Protection Officer
UKAT Group Limited
Unit 1, Floor 1 Imperial Place
Maxwell Road
Borehamwood
WD6 1JN

Complaints

You have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”), the UK regulator for data protection issues (ico.org.uk). We would, however, appreciate an opportunity to address your concerns before you approach the ICO, so would request that you contact us in the first instance.

Changes to this Privacy Notice

We keep our privacy notice under regular review. This version was last updated on 20th December 2024.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.