Privacy Notice

1. Who We Are

This privacy notice explains how Healthcare Management Trust ("we", "us", "our") collects,
uses, and protects your personal information when you use our website and services.

Contact details:

• Organisation: Healthcare Management Trust
• Address: 1 Langdon House, Langdon Road, Swansea, SA1 8QY
• Email: info@hmt-uk.org
• Data Protection Officer (DPO): Provided under contract by Cribb Cyber Security
Services Ltd.

2. What Personal Data We Collect

We may collect and process the following categories of personal data:

• Name
• Email address
• Phone number
• Any other information you provide via forms or correspondence
• Information about the treatment or care you have received or have expressed an
interest in receiving
• Supporting information relating to your health or care e.g. test results, letters or reports
• Technical data (browser type, operating system, IP address, device information)
• Cookie and usage data (see our Cookie Policy for details)

3. What Non-Personal Data We Collect

We may collect non-personal identification information about users whenever they interact
with our website or patient portal. Non-personal identification information may include the
browser name, the type of computer and technical information about users’ means of
connection to our site, such as the operating system, the internet service providers utilised
and other similar information.

4. How We Collect Your Data

We may collect personally identifiable information from users in a variety of ways,
including, but not limited to, in person at HMT premises, when users visit our site, fill out a
form, and in connection with other activities, services, features or resources we make
available on our site. When enquiring on our site, as appropriate, you may be asked to enter
your name, email address, phone number or other details to help you with your experience.
Users may, however, visit our site anonymously. We will collect personal identification
information from users only if they voluntarily submit such information to us. Users can
always refuse to supply personally identifiable information, except that it may prevent them
from engaging in certain site related activities or receiving services.

We collect data when users:

• Visit us in person
• Visit our website
• Fill out forms
• Contact us via email or other channels
• Interact with our services and features

We use this information to provide services to you such as health or social care, to send
appointment reminders, treatment updates or billing information via various methods (text
message, telephone or email). It may also be used to follow up with a potential customer
after correspondence and to improve customer service via investigation of concerns or
complaints or for customer surveys. Information you provide helps us respond to your
customer service requests and support needs more efficiently. We may use this
information to send periodic marketing emails should you consent to this. We may use the
email address to respond to user enquiries, questions, and/or other requests.

5. Lawful Basis for Processing

We process your personal data under the following lawful bases:

• Your consent (where required)
• To perform a contract with you
• To comply with legal obligations
• For our legitimate interests (e.g., improving our services, responding to enquiries)
• We use this information to follow up with a user after correspondence

6. Purposes for Processing

We use your personal data to:

• Provide and improve our services
• Respond to your enquiries and support requests
• Send you updates and information (where permitted)
• Provide healthcare treatment or social care
• Analyse website usage and improve user experience

7. Sharing Your Data

We do not sell, trade, or rent your personal data. We may share your data with:

• Service providers and business partners who help us operate our website and services
• Other healthcare providers such as hospitals, GPs, ambulance services or urgent care
• Local Authorities
• Regulatory authorities, if required by law
• Third-party analytics providers (e.g., Google Analytics)
We will manage your health and care records in accordance with the NHS Records
Management Code of Practice for Health and Social Care.

8. International Transfers

If we transfer your personal data outside the UK or EEA, we will ensure appropriate
safeguards are in place, such as adequacy decisions or standard contractual clauses.

9. Data Retention

We retain your personal data only as long as necessary for the purposes set out in this
notice, or as required by law. Specific retention periods are available on request.

10. Your Rights

You have the following rights under UK GDPR:

• Access your personal data
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Restrict or object to processing
• Data portability
• Withdraw consent at any time (where processing is based on consent)
• Lodge a complaint with the Information Commissioner’s Office (ICO)

To exercise your rights, please contact us using the details above.

11. Statutory or Contractual Requirements

Providing personal data may be necessary for statutory or contractual reasons. If you
choose not to provide data, we may be unable to offer certain services.

12. Automated Decision-Making

We do not use automated decision-making or profiling that has legal or significant effects
on you. If this changes, we will update this notice accordingly.

13. Children’s Data

Our website and services are not intended for children under 13. We do not knowingly
collect data from children. If you believe we have inadvertently collected such data, please
contact us.

14. CCTV

Purpose and Lawful Basis:

We operate Closed Circuit Television (CCTV) systems at our premises to:

• Promote the safety and security of staff, visitors, and property
• Prevent and detect crime
• Assist in the investigation of incidents
• Support regulatory and legal compliance

The lawful basis for processing CCTV footage is our legitimate interests in maintaining a
safe environment, safeguarding residents, staff and visitors, and where applicable,
compliance with legal obligations. Clear CCTV signage is displayed at all site entrances
and within monitored areas to ensure staff, residents and visitors are aware that CCTV is in
operation.

What Data Is Collected:

CCTV systems capture video images of individuals on our premises. In some cases, this
may include vehicle registration numbers, and other identifiable information. CCTV may
operate continuously or at specific times, and signage is displayed to inform you when and
where CCTV is in use.

How Data Is Used and Shared:

CCTV footage is used strictly for the purposes stated above. Access to recordings is limited
to authorised personnel and may be shared with law enforcement, regulatory bodies, or
insurers if required by law or for the investigation of incidents. We do not use CCTV footage
for monitoring staff performance or for any purpose incompatible with those stated.

Retention and Security:

CCTV recordings are retained for a limited period, typically no longer than 30 days, unless
required for an ongoing investigation or legal proceedings. All footage is stored securely
and deleted when no longer needed. We regularly review our CCTV systems to ensure
compliance with data protection legislation and the Information Commissioner’s Office
guidance.

Your Rights:

You have the right to request access to CCTV footage in which you are identifiable, subject
to exemptions under data protection law. Requests should be made in writing to the
contact details provided in this notice. We may require proof of identity and information to
help locate the relevant footage.

15. Call Recordings

We may record telephone calls you make to us for monitoring and training purposes.
Where calls are recorded you will be notified when connecting to our Contact Centre.
Recordings are securely stored with restricted access, and will be retained for a period of
one month before deletion. Exceptionally we may retain recordings for longer where they
relate to a complaint or legal proceedings.

16. How We Protect Your Data

To protect this information the site and our networks are security scanned on a regular
basis for known vulnerabilities in order to make your visit to our site as safe as possible.
Your personal information is contained behind secured networks and is only accessible by
a limited number of persons who have special access rights to such systems, and are
required to keep the information confidential. In addition, all sensitive information you
supply via the website is encrypted via Secure Socket Layer (SSL) technology.

We implement a variety of security measures when a user enters, submits, or accesses
their information to maintain the safety of your personal information.

We implement appropriate technical and organisational measures to protect your data,
including:

• Regular security scans
• IASME, Cyber Essentials and Cyber Essentials Plus accreditation
• Secure networks and restricted access including multi factor authentication
• SSL encryption for sensitive information

17. Cookies

We use cookies to enhance your experience and analyse site usage. You can manage your
cookie preferences via your browser settings or our Cookie Policy. Cookies are small files
that a site or its service provider transfers to your computer's hard drive through your web
browser (if you allow) that enables the site's or service provider's systems to recognise your
browser and capture and remember certain information. For instance, we use cookies to
help us remember and process the items in your shopping cart. They are also used to help
us understand your preferences based on previous or current site activity, which enables
us to provide you with improved services. We also use cookies to help us compile
aggregate data about site traffic and site interaction so that we can offer better site
experiences and tools in the future.

We, along with third-party vendors such as Google use cookies (such as the Google
Analytics cookies) to compile data regarding user interactions with ad impressions and
other ad service functions as they relate to our website.

Opting out: Users can set preferences for how Google advertises to you using the Google
Ad Settings page. Alternatively, you can opt out by visiting the Network Advertising Initiative
opt-out page or by using the Google Analytics opt-out browser add-on.

18. Changes to This Notice

We may update this notice from time to time. Any changes will be posted on our website,
and we encourage you to review this notice regularly. This notice was last updated in
December 2025.

19. Contact Us

If you have questions about this privacy notice or your personal data, please contact us at
info@htm-uk.org

How can we help?