3Beam respects your privacy and is committed to the protection of your personal information. This Policy describes how we process personal data we may collect from you.
3Beam Ltd, incorporated in England and Wales – registered number 12144164.
Registered office: 86 Harley Street, First Floor, London, England, W1G 7HP.
We process personal data as defined in the General Data Protection Regulation (EU) 2016/679. We are registered under the Data Protection Act Information Commissioner’s Office number ZA534141. Our CQC Registered Manager is responsible for the implementation of this Policy.
Legal basis for processing
We process the personal information of data subjects to conduct our radiology services. We will only collect personal data upon receiving consent to do so. With regards to patients, data is collected upon referral from your healthcare professional for our services and subsequently collect and process your radiology data. With regards to healthcare professionals, data is collected upon registering to use our services and to keep you informed of our activities and news in relation to our radiology services.
Personal data collected
Patients referred for radiology imaging are required to share both personal and sensitive data for practitioners to comply with the Ionising Radiation (Medical Exposure) Regulations 2017 (IR(ME)R2017).
Patients are required to provide the following personal data:
- Full name
- Home address
- Telephone number or mobile number
- Email address
- Date of birth
For each patient we require the following sensitive personal data:
- Type of radiology examination
- Region of interest for radiology examination
- Clinical indications and any other relevant medical or dental history
Patients data is uploaded via our online referral portal. Healthcare professionals are responsible for notifying the patient that their personal and sensitive personal data will be provided to 3Beam.
For each patient we collect and store the following sensitive personal data:
- Radiology images
- Radiology doses
Upon completing a radiology examination, the patient will receive an email asking for their feedback, to comply with regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014.
Healthcare professionals referring patients register their details via our online portal including:
- Title and full name as registered with the relevant regulatory body
- Regulatory body registration number
- Correspondence and billing address, email address and contact telephone number
- Payment card details
- Selecting a password of their choice to access to their individual referrer account, to facilitate online appointment scheduling and to access the relevant referred patient radiology data. Healthcare professionals are responsible for their individual account and maintaining the confidentiality of their password
What personal data is used for
- Identification upon making contact
- Making contact to arrange and notify regarding appointments
- Processing the referral received from the relevant healthcare professional and to conduct the radiology examination. Where requested, reformat radiology images
- Providing feedback following radiology examination
- Providing billing and payment confirmation, if required
- Notification of any data breaches
- Identify, enable logging on and utilising our online portal, including contacting us for assistance
- confirm registration details with the relevant regulatory body
- Service Level Agreement fulfilment
- Compliance with Ionising Radiations Regulation 2017 and the Ionising Radiation (Medical Exposure) Regulations 2017
- Correspond and record regarding billing, services and training
- Notification of any data breaches
Who is personal data shared with
In accordance with our regulatory requirements, we will not share your personal data with third parties unless there is a legal obligation to do so.
Upon the request of the referring healthcare professionals for specific services such as cephalometric tracing or radiology reports, we will need to share your personal data with trusted third parties for processing. Processors may only use your data for the exact purposes with which it has been shared with them for.
Data sharing and data processing agreements with third parties are in place to ensure that suppliers to meet their obligations with respect to data privacy.
We currently share personal data with the following processors:
- CephX for cephalometric radiology analyses (maintains an EU-U.S. Privacy Shield registration recognised by the ICO)
- Medica Reporting (Medica Group, MGP) for radiology reporting
- Dr Rebecca Davies - Dental & Maxillofacial Specialist Radiology Consultant
How long is personal data retained for
Personal data will be retained for as long as is necessary for the purpose it was collected.
For patients referred for radiology imaging, we adhere to The Royal College of Radiologists position statement on the Records Management Code of Practice for Health and Social Care 2016: application of the Code to radiology records retention protocol.
The Code requires:
- For imaging and report records of adults, these should be retained for 8 years since when the patient was last seen in the organisation that stores the data and is responsible for retention of it
- For imaging and report records of children, these should be retained until the child's 26th birthday or eight years since the child was last seen, whichever is later, in the organisation that stores the data and is responsible for retention of it
For healthcare professionals we will keep your personal data for as long as you are entered into a data processing agreement with us.
Any data destroyed in accordance with this policy will be undertaken securely in-line with best practices.
How personal data is protected
Information governance and security is important to our organisation. Personal data is stored and encrypted on our online portal hosted in the cloud with AWS, certified for compliance with ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015. Our web domain has a SSL certificate and we have a dedicated IP address. All employees must also adhere to the Data Protection and Information Sharing and Storage Policies.
Correcting and deleting personal data
Patients or healthcare professionals may contact us if they believe their data is incorrect. We will update it accordingly to ensure it is kept accurate.
If you would like us to delete your data, you may contact us and we will be able to do this subject to the applicable legislation and data retention recommendations.
Access to personal data
You have the right to request access to the data we have about you by making a subject access request. We will comply with any request within one month.
Patients may contact us to request a copy of their radiology data which can be sent electronically or on a USB flash drive. Instructions for how to open the radiology data will also be provided.
Right to complain
For further information in respect of your rights as a data subject, please see details on the Information Commissioner’s Office website https://ico.org.uk/make-a-complaint/your-personal-information-concerns/
Changes to this policy
To comply with the law, changes in legislation or changes in business requirements, this Policy may be updated. We encourage you to review this Policy for any changes in future.