Optum Health Solutions (UK) Limited, and its subsidiaries and affiliated companies (collectively, the “Optum UK”, “Company”, “We”, or “Us”) strive to properly address applicable data protection requirements.
Scope
This Optum UK Privacy Policy (“Policy”) provides the individuals who receive our services (“You” or “Participant”) with certain important information about how the Company handles his/her personal information (including sensitive personal information). Optum Health Solutions (UK) Limited is the primary data processor for processing of Personal Information.
Types of Data Processed
Personal information processed might include the following types of personal information:
When you are a client, we process client contact information.
Client Contact Information is personal information related to contacting a client who would like to learn more about available products and services or for the administration of contracts and payments. Client Contact Information includes personal information such as name, email address, telephone number, or fax number. Client Contact Information is collected via telephonic, face-to-face, or online interactions and is held in administrative systems and files.
When you are a service provider, we process service provider information.
Service Provider Information is personal information related to medical or health care providers, community providers, or other types of providers or consultants that we triage services with, provide services to, or which provides services to our business. Service Provider Information includes personal information such as name, address, email address, or telephone number. Service provider information may be captured in a patient’s medical record, assessment reports, assessment results, and administrative systems.
When you are a patient of a general practice or employee- of an Integrated Care Board (ICB) or Primary Care Network (PCN), we process personal information.
Patient Information is personal information related to patients of a General Practice (GP) who may be part of a Primary Care Network (PCN) that we have a contract with. Patient Information that we process may include but not be limited to patient name, address, date of birth, email address, telephone number, gender, NHS number, health data, genetic data and biometric data. Employee data we process on behalf of the PCN may include but not be limited to name, address, date of birth, email address, telephone number, gender, CV, employment history, NHS number, marital status, banking data, and trade union membership.
When you are a healthcare professional, or work within the healthcare industry, you are referred to as a “prospect.”
Prospect Contact Information is personal information related to an individual contact working within the healthcare industry, who would like to learn more about available products and services, or with whom we have a legal right to communicate with via legitimate Interest. Prospect Contact Information includes personal information such as name, job title, organisation, email address, telephone number, or fax number. Prospect Contact Information is collected via telephone, face-to-face, or online interactions and is held in sales and marketing systems and files.
Purpose of Personal Information Processing and Legal Basis for Doing So
Our use and processing of Personal Information – Our personal information processing includes:
Commissioning Support Services
We use personal information to deliver provider contract management services, administrative services, and finance and business intelligence services to PCNs and ICBs.
ScriptSwitch, Accelerate and Medicines Management Optimisation
Depending on what functionality has been purchased by the ICB/GPs, the tool may use personal information to support clinicians so that they can make informed decisions at the point of prescribing.
Integrated Care Services
We use personal information to support health systems to deliver integrated health care.
Quality Management
We use personal information for Quality Management such as ensuring the quality of service delivery, including call monitoring and recording, case consultations, and service feedback. Call recording and quality monitoring are performed. De-identified personal information may be shared with a supervisor or senior member of the staff in order to provide consultation on customer cases.
Client Reporting
We use personal information for Client Reporting such as providing aggregate statistical reports to client organisations related to overall service delivery information, trends within and across organisations, and anonymized customer satisfaction and feedback information.
Client Requests
We use personal information to respond to Client Requests such as responding to requests for more information about products and services.
Business Administration
We use personal information for business administration such as responding to requests for more information about products and services.
Accreditation and Legal Requirements
We use personal information for Accreditation and Legal Requirements such as complying with accreditation requirements and achieving the legal basis of our personal information processing.
The legal basis of our personal information processing includes processing that is:
- Necessary for the Company’s legitimate interests, including those described above;
- Necessary for compliance with Company’s legal obligations, including the provision of Optum UK services to Participants;
- Necessary for medical diagnosis, the provision of health or social care or treatment of the management of health or social care systems or services;
- Necessary for the establishment, exercise or defense of legal claims;
- Necessary to protect the vital interests of the Participant of another natural person;
- Necessary for reasons of public interest in the area of public health; or,
- Based on consent by the Participants, which may subsequently be withdrawn at any time by contacting us at the address listed below in the “Contact Information” section without affecting the lawfulness of processing based on consent before its withdrawal.
Optum's Partners, Personnel and Cross-border Transfers
We disclose personal information to third parties ("Optum Partners"), (“Optum Partners”), such as health care providers and community providers, who help us to deliver the Optum UK services. Optum Partners also share personal information with us for these purposes. Our personnel may access (on a need-to-know only basis) and process personal information in connection with their job responsibilities or contractual obligations. Such access includes those individuals who perform or oversee Optum UK program activities mentioned above and IT services as well as senior executive company managers. Where permitted, we may use some third parties, Optum Partners, and Company personnel located outside of the EEA, including in countries that may not provide the same level of data protection as your home country, such as the United States of America. We take appropriate steps to ensure that such entities are bound to duties of confidentiality and we implement measures such as standard data protection contractual clauses to ensure that any transferred Personal information remains protected and secure. A copy of these clauses can be obtained by contacting us at the address listed below in the “Contact Information” section. Optum conducts TIAs (Transfer Impact Assessments) on its partners and vendors to ensure that any third party subscribes to the required level of organisational and technical measures to both data and technical estates.
Client Reporting
We provide reports to Clients (“Client Reports”). The Client Reports are aggregated statistical reports provided to Client organisations related to overall service delivery information, trends within and across organisations, and anonymized customer satisfaction and feedback information.
Direct Marketing
- We may collect your name and contact details (such as your email address, phone number or address) in order to send you information about our products and services which you might be interested in. We may collect this directly from you, or through a third party. If a third party collected your name and contact details, they will only pass those details to us for marketing purposes if you have consented to them doing so.
- If you have provided consent to process your personal data for the purposes for marketing purposes, we will rely on your consent for as long as we have it. In other cases, if you are an existing customer or are acting in your professional capacity, we rely on our legitimate interests and those of our customers to engage in direct marketing in the B2B context.
- You always have the right to “opt out” of receiving our marketing. You can exercise the right at any time by contacting us at ask@optum.com. If we send you any marketing emails, we will always provide an unsubscribe option to allow you to opt out of any further marketing emails. If you “opt-out” of our marketing materials, you will be added to our suppression list to ensure we do not accidentally send you further marketing. Where you unsubscribe from any postal marketing, you may initially still receive some content which has already been printed or sent, but we will remove you from any future campaigns. We may still need to contact you for administrative or operational purposes, but we will make sure that those communications don’t include direct marketing.In addition, you may object to our processing of your personal data. You may contact us at information_governance@optum.com to exercise these rights.
- We may use third party service providers to send out our marketing, but we only allow them to use that information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
- We retain your details on our marketing list until you “opt-out” or we no longer have grounds under legitimate interest. At which point we add you to our suppression list. We keep that suppression list indefinitely to comply with our legal obligations to ensure we don’t accidentally send you any more marketing.
Retention of Personal Information
Personal information will be retained only for so long as necessary for the purposes set out above and in accordance with applicable laws.
Data Security and Data Integrity
We maintain reasonable safeguards to protect the personal information from loss, interference, misuse, unauthorised access, disclosure, alteration or destruction. We also maintain reasonable procedures to help ensure that personal information is reliable for its intended use and is accurate, complete, and current. If you are aware of changes or inaccuracies your personal information, you should inform us of such changes so that the personal information can be updated or corrected.
Your Rights in Personal Information That Concerns You
You may contact us by following the instructions below in the “Contact Information” section to request access to the personal information that concerns you, to request correct any mistakes, deletion of this data or to withdraw your consent to our personal information processing, in accordance with applicable law.
We might be unable to comply with such a request where doing so would place us in breach of our obligations under applicable laws, regulation or codes of practice. However, in some circumstances, you might be able to request that your data be blocked from further processing. You might also have a right to data portability to another data controller under certain circumstances. Where we rely on your consent for our personal information processing, your consent may be withdrawn at any time, although the withdrawal might impact or disrupt the services we provide to you. Whether we comply with your request or do not comply with your request, we will prepare a response within the time permitted by law, generally within a month of receiving your request, subject to extension, when permitted, in certain situations.
You may lodge a complaint with a supervisory authority if you believe that our personal information processing infringes applicable law.
Disclosures Required or Permitted by Law
Regardless of any other provisions in this Privacy Policy, we may disclose or otherwise process personal information in the context of any sale or transaction involving all or a portion of the business, or as might be required or permitted by law or required for the purposes of any regulatory audit to which the Company may be subject from time to time.
Contact Information
By following the instructions below, you may request clarification about our Policy, complain about our personal information processing, make a request to exercise rights in the personal information that concerns you, and/or request a copy of our contractual clauses designed to protect personal information.
When you contact us, we might need to make an appointment with you, where necessary, to better understand the nature of your question or clarify a request access or amendment/correction. During this process, we must verify your identity to ensure that the request is made by you, or by another person who is authorised to make a request on your behalf, such as a legal guardian.
To contact the supervisory authority:
www.ico.org.uk
The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
To contact us:
information_governance@optum.com
Optum Health Solutions (UK) Limited
Information Governance
10th Floor
5 Merchant Square
Paddington
London W2 1AS
United Kingdom
Attention: Data Protection Officer
Effective Date
The Effective Date of this Privacy Policy is the 23rd May 2023. We might revise our Policy from time to time to reflect changes that we undertake in personal information processing. We will notify you of significant changes.