Our
GDPR Policy
The Church Street Clinic – Privacy and UK GDPR Statement
1.1 Who we are
This Privacy and UK GDPR Statement explains how The Church Street Clinic (“CSC”, “we”, “us”) collects, uses and protects personal information about you when you use our services or our website.
CSC provides private medical, diagnostic, sports performance, aesthetic and psychotherapy services from premises in central Hereford. We work with a range of independent clinicians and partner organisations to deliver your care.
For the purposes of UK data protection law, the primary data controller for information described in this notice is:
Name: Church Street Clinic
Legal entity: The Church Street Clinic Ltd
Address: 34 Church Street, Hereford, HR1 2LR
Email: admin@churchstclinic.com
Telephone: 01432 674498
Some clinicians who practice from CSC will also be independent data controllers for certain parts of your record (for example, where they run their own private practice). In those cases they will provide you with their own privacy notice. This statement covers processing undertaken by CSC as the clinic operator.
If you have any questions about this notice or about how we use your information, please contact us using the details above. You also have the right to raise concerns with the Information Commissioner’s Office (ICO), but we ask that you contact us first so we can try to resolve any issues.
1.2 The information we collect
We may collect and process the following categories of personal data:
Contact and identity details
- Name, date of birth, address, telephone numbers, email address
- Next of kin or emergency contact details
- NHS number, if relevant
Health and clinical information (special category data)
- Medical and mental health history
- Referral letters and information from your GP, NHS services or other clinicians
- Consultation notes, diagnoses, treatment plans
- Test results, imaging, reports and clinical photographs
- Prescribing and medicines information
- Lifestyle and activity information relevant to sports performance or health assessments
Administrative and financial information
- Appointment history and correspondence
- Insurance details, authorisation numbers and billing information
- Invoices, payments, refunds and credit notes
Website and technical data
- IP address, device identifiers, browser type and usage data
- Cookie and analytics information (see our Cookie Policy for more detail)
Safeguarding and risk information
- Information relevant to safeguarding, risk assessment or statutory reporting
Marketing preferences
- Your preferences about receiving information about our services, newsletters or events
We will only collect the minimum information we need to provide safe and effective care and to run the clinic.
1.3 How we collect your information
We collect information in several ways:
Directly from you
- Completing registration or medical history forms
- Attending consultations, assessments or procedures
- Corresponding with us by phone, email, text, web forms or post
From other healthcare professionals
- Your GP or NHS services
- Referring consultants or allied health professionals
From third parties
- Diagnostic providers and laboratories
- Private medical insurers or corporate clients where they fund your care
Automatically
- Through cookies and analytics tools when you use our website (subject to consent where required)
1.4 Lawful bases for processing your data
We rely on the following lawful bases under UK GDPR:
Article 6 bases
- Performance of a contract (Article 6(1)(b))
- Legal obligations (Article 6(1)(c))
- Legitimate interests (Article 6(1)(f))
- Vital interests (Article 6(1)(d))
Special category data (health)
- Article 9(2)(h) – medical diagnosis and provision of care
- Article 9(2)(f) – legal claims
Where we rely on consent, you may withdraw it at any time.
1.5 How we use your information
We use your information to:
- Provide direct care and treatment
- Arrange tests, procedures and follow-up
- Communicate about appointments and results
- Liaise with GPs, NHS services and insurers
- Maintain clinical and administrative records
- Meet legal and regulatory obligations
- Carry out audits and quality improvement
We do not sell your personal data.
1.6 Who we share your information with
We may share information with:
- GPs, NHS services and clinicians involved in your care
- Diagnostic providers and laboratories
- Independent clinicians practising at CSC
- Insurers or corporate funders
- IT and practice management system providers
- Professional advisers
- Regulators and public bodies where legally required
All processors are bound by written data protection agreements.
1.7 International transfers
Most data is processed within the UK. Where data is transferred internationally, appropriate safeguards are used.
1.8 How long we keep your information
We follow NHS and professional guidance, including:
- Adult records: usually at least 8 years
- Children: until age 25 (or 26 in some cases)
- Mental health records: often longer
- Financial records: at least 7 years
Data is securely destroyed or anonymised when no longer required.
1.9 How we keep your information safe
Security measures include:
- Role-based system access
- Strong passwords and audit logs
- Secure storage and disposal
- Encryption and secure communications
- Staff confidentiality training
1.10 Your rights
You have the right to:
- Access your data
- Request corrections or erasure
- Restrict or object to processing
- Request data portability
- Withdraw consent
Requests are normally answered within one month.
ICO contact:
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, SK9 5AF
https://www.ico.org.uk
1.11 Communications and marketing
We may contact you regarding:
- Appointments and results
- Follow-up care
Marketing communications are opt-in only.
1.12 CCTV and building security
CCTV may be used for safety and crime prevention. Retention is kept to a minimum.
1.13 Updates to this statement
This statement may be updated periodically. The latest version will always be available on our website.
The Church Street Clinic – Data Protection and UK GDPR Policy
2.1 Purpose and scope
This policy supports the public privacy statement and applies to all CSC staff, clinicians and contractors.
2.2 Definitions
- Personal data – information relating to an identifiable person
- Special category data – sensitive data such as health information
- Processing – any operation performed on data
- Data subject – the individual
- Controller – organisation deciding how data is processed
- Processor – third party processing data on behalf of the controller
2.3 Data protection principles
CSC adheres to the seven UK GDPR principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
2.4 Roles and responsibilities
- Board / Owners: overall responsibility
- Senior management: implementation and oversight
- Data Protection Lead: Clinic Manager
- All staff: training, compliance and incident reporting
2.5 Lawful bases and special category conditions
CSC maintains a Record of Processing Activities (ROPA) and primarily relies on:
- Articles 6(1)(b), 6(1)(c), 6(1)(f)
- Article 9(2)(h) for healthcare
2.6 Information security
Measures include:
- Role-based access
- Secure systems and backups
- Physical security
- Secure communications
2.7 Records retention and disposal
CSC follows NHS Records Management guidance. Data is securely destroyed when no longer required.
2.8 Data sharing and processors
Data sharing occurs only with a lawful basis and appropriate safeguards.
2.9 Individual rights and subject access requests
Requests must be handled promptly and documented.
2.10 Data protection by design and DPIAs
DPIAs are carried out for higher-risk processing.
2.11 Data breaches and incident management
CSC investigates, records and reports breaches as required by law.
2.12 Training and awareness
All staff receive mandatory data protection training.
2.13 Monitoring and review
This policy is reviewed annually and approved by clinic leadership.