Our Privacy Policy

Part A: Privacy Notice for Patients and Website Users

Document reference CSC-POL-GDPR-001 · Version 1.1 · Issued June 2025 · Review due June 2026
Approved by Tom Magal, Director · Data Protection Officer: Laura Yarranton

This Privacy Notice explains how The Church Street Clinic collects, uses and protects personal information about you when you use our services or visit our website. Please read it carefully. If you have any questions, contact us using the details below.

1. Who we are

Church Street Clinic (referred to below as ‘CSC’, ‘we’, ‘us’ or ‘our’) is a private healthcare provider offering GP, aesthetic, diagnostic, sports performance, mental health, nutrition and massage services from premises in central Hereford.

Legal entity: The Church Street Clinic Ltd
Registered address: 34 Church Street, Hereford, HR1 2LR
Email: admin@churchstclinic.com
Telephone: 01432 674498
Website: www.churchstclinic.com
Data Protection Officer: Laura Yarranton

For the purposes of UK data protection law, The Church Street Clinic Ltd is the primary data controller for the processing described in this notice. Some clinicians who practise from CSC premises operate their own independent practices and are separate data controllers in respect of their own clinical records. Where that applies, those clinicians will provide you with their own privacy notice.

If you wish to contact our Data Protection Officer directly, please write to the registered address above, marking your correspondence ‘FAO Data Protection Officer’.

You also have the right to raise concerns with the Information Commissioner’s Office (ICO) at any time (see section 9 below). We would, however, ask that you contact us first so that we can try to resolve any issue.

2. Information we collect about you

We collect and process the following categories of personal data, depending on the services you receive:

Contact and identity information

  • Full name, date of birth, home address, telephone numbers and email address
  • Next of kin or emergency contact details
  • NHS number (where clinically relevant)

Health and clinical information (special category data)

  • Medical and mental health history, including information provided by you and by other clinicians
  • Referral letters and clinical information from your GP, NHS services or other healthcare professionals
  • Consultation and assessment notes, diagnoses and treatment plans
  • Results of tests, blood panels, clinical investigations and imaging
  • Sports performance data including VO₂ max, lactate threshold and resting metabolic rate measurements
  • Lifestyle, nutrition and activity information relevant to your care
  • Clinical photographs (with your consent)
  • Prescribing information and medicines history

Administrative and financial information

  • Appointment history and correspondence
  • Private medical insurance details and authorisation numbers
  • Invoices, payment records, receipts and credit notes

Safeguarding and risk information

  • Where relevant to your care or to our legal obligations, information relating to safeguarding, risk assessment or statutory reporting

Website and technical data

  • IP address, device identifiers, browser type, operating system and usage data
  • Cookie and analytics information (see our Cookie Policy on the website for detail)

Marketing preferences

  • Your preference regarding receiving news, updates or information about our services

We collect only the minimum information necessary to provide safe, effective care and to operate the clinic lawfully.

3. How we collect your information

Directly from you

  • Completing registration, medical history or consent forms
  • Attending consultations, assessments, procedures or treatments
  • Corresponding with us by telephone, email, letter, text message or web form
  • Using our website (including cookies — see our Cookie Policy)

From other healthcare professionals

  • Your GP or NHS services
  • Referring or treating consultants or allied health professionals

From third parties

  • Diagnostic providers, pathology laboratories and imaging services
  • Private medical insurers or corporate clients where they fund your care

Automatically (website only)

  • Through cookies and analytics tools when you browse our website, subject to your consent preferences

4. Why we process your information and our lawful basis

Under UK GDPR, we must have a lawful basis for processing your personal data and, for special category health data, an additional condition. The list below summarises the main purposes and the bases we rely on.

  • Providing direct clinical care and treatment — Performance of contract (Art. 6(1)(b)); Healthcare provision (Art. 9(2)(h))
  • Arranging tests, procedures and follow-up — Performance of contract (Art. 6(1)(b)); Healthcare provision (Art. 9(2)(h))
  • Communicating about appointments and results — Performance of contract (Art. 6(1)(b)); Healthcare provision (Art. 9(2)(h))
  • Liaising with GPs, NHS services and other clinicians — Legitimate interests (Art. 6(1)(f)); Healthcare provision (Art. 9(2)(h))
  • Maintaining clinical and administrative records — Legal obligation (Art. 6(1)(c)); Healthcare provision (Art. 9(2)(h))
  • Invoicing and processing payments — Performance of contract (Art. 6(1)(b)); no Article 9 condition required
  • Complying with regulatory and legal obligations — Legal obligation (Art. 6(1)(c)); Legal claims (Art. 9(2)(f))
  • Audit, quality improvement and clinical governance — Legitimate interests (Art. 6(1)(f)); Healthcare provision (Art. 9(2)(h))
  • Safeguarding and risk management — Legal obligation (Art. 6(1)(c)) or vital interests (Art. 6(1)(d)); Vital interests (Art. 9(2)(c))
  • Marketing and communications (with your consent) — Consent (Art. 6(1)(a)); no Article 9 condition required

Where we rely on consent as the lawful basis, you may withdraw that consent at any time by contacting us using the details in section 1. Withdrawal of consent does not affect the lawfulness of processing before the withdrawal.

5. Who we share your information with

We may share your personal information with the following categories of recipients, where necessary and proportionate:

  • Your GP and NHS services involved in your care
  • Treating consultants, allied health professionals and other clinicians directly involved in your treatment
  • Independent clinicians practising from CSC premises, to the extent necessary to coordinate your care
  • Pathology laboratories, diagnostic imaging providers and other diagnostic services
  • Private medical insurers and corporate health funders (where they authorise or fund your treatment)
  • Practice management and clinical IT system providers acting as data processors
  • Secure payment processing providers
  • Professional and legal advisers, where required
  • Regulators, public bodies and law enforcement agencies, where we are legally required or permitted to disclose

We do not sell your personal data. All third parties who process data on our behalf are bound by written data processing agreements and are required to implement appropriate technical and organisational security measures.

6. International transfers

The majority of your personal data is stored and processed within the United Kingdom. In the event that any data is transferred to a country outside the UK, we will ensure that appropriate safeguards are in place in accordance with UK GDPR requirements — for example, by using standard contractual clauses approved by the ICO, or by relying on an adequacy decision. Details of any such safeguards are available on request.

7. How long we keep your information

We retain records for the periods required by NHS records management guidance, professional body requirements and applicable legislation. The following minimum periods normally apply:

  • Adult clinical records — minimum 8 years from last attendance
  • Children’s records — until the patient’s 25th birthday (or 26th if aged 17 at last treatment)
  • Mental health records — minimum 20 years, or 8 years after death
  • Financial and accounting records — minimum 7 years (Companies Act / HMRC requirements)
  • Deceased patients — minimum 8 years from date of death

At the end of the applicable retention period, data is securely destroyed or irreversibly anonymised. Paper records are shredded by a contracted confidential waste supplier; electronic records are deleted in accordance with our data disposal procedure.

8. How we keep your information secure

We take the security of your personal data seriously. Our measures include:

  • Role-based access controls ensuring staff can only access information relevant to their function
  • Strong password policies and multi-factor authentication where available
  • Audit logging of access to clinical systems
  • Encryption of data in transit and at rest
  • Secure, locked storage for physical records
  • Confidential waste disposal arrangements
  • Regular staff training on data protection and information security
  • Business continuity and disaster recovery procedures for clinical data

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify you directly without undue delay.

9. Your rights

Under UK GDPR, you have the following rights in relation to your personal data. Most requests will be responded to within one calendar month.

  • Right of access — to obtain a copy of the personal data we hold about you (commonly known as a Subject Access Request or SAR)
  • Right to rectification — to request correction of inaccurate or incomplete data
  • Right to erasure — to request deletion of your data where there is no longer a lawful basis for processing (note: this right may be limited in respect of clinical records held under legal or professional obligations)
  • Right to restrict processing — to request that we limit how we use your data in certain circumstances
  • Right to object — to object to processing based on legitimate interests or for direct marketing
  • Right to data portability — to receive data you have provided to us in a structured, machine-readable format
  • Right to withdraw consent — where processing is based on consent, to withdraw that consent at any time
  • Right to lodge a complaint — with the ICO (see below)

To exercise any of these rights, please contact us in writing at the address in section 1 or by email to admin@churchstclinic.com. We may need to verify your identity before processing your request.

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Web: www.ico.org.uk · Telephone: 0303 123 1113

10. Communications and marketing

We will contact you as necessary in connection with your care, including appointment reminders, recall letters, test results and clinical correspondence. These communications are made under our contractual or legitimate interest basis and do not require your consent.

We may also, with your express prior consent, contact you about news, new services or events at Church Street Clinic. You may opt out of marketing communications at any time by contacting us or by using the unsubscribe link in any email we send. Opting out of marketing will not affect any clinical correspondence.

11. CCTV

CCTV cameras may be in operation within and around our premises for the purpose of security, crime prevention and the safety of staff and patients. CCTV footage is retained for a minimum period of 30 days and is accessible only by authorised personnel. It will be disclosed to the police or other law enforcement agencies where we are legally required or permitted to do so. A separate CCTV policy and signage is in place at the premises.

12. Cookies and website analytics

Our website uses cookies to improve functionality and to understand how visitors use the site. A full explanation of the cookies we use, and the choices available to you, can be found in our Cookie Policy, accessible from the website footer. Where cookies require your consent, we will ask for it before setting them.

13. Children

Where we treat patients under the age of 16, we will obtain consent from a parent or person with parental responsibility, except in circumstances where the child is considered Gillick-competent to consent to their own treatment. Our approach to children’s data follows NHS guidance and the UK GDPR provisions on children’s data.

14. Caldicott Guardian

Church Street Clinic has appointed a Caldicott Guardian with responsibility for protecting the confidentiality of patient information and enabling appropriate and lawful information sharing. The Caldicott Guardian for CSC is Tom Magal, Director.

15. Updates to this notice

We may update this Privacy Notice from time to time, for example if our services change or in response to regulatory guidance. The current version will always be available on our website at www.churchstclinic.com/gdpr-policy. If we make material changes that affect you, we will notify you directly where we have your contact details.

This notice was last reviewed in June 2025.

Part B: Data Protection and UK GDPR Policy (Internal)

This internal policy supplements the public Privacy Notice above. It applies to all staff, clinicians, contractors and volunteers working at or for Church Street Clinic. It sets out our obligations under the UK GDPR and the Data Protection Act 2018 and the standards we expect from all those who handle personal data on our behalf.

B1. Scope and purpose

This policy applies to all personal data processed by or on behalf of The Church Street Clinic Ltd, whether in electronic form, in paper records, or in any other medium. It applies to all staff (employed and self-employed), clinicians, students, volunteers and contractors.

Non-compliance with this policy may result in disciplinary action, termination of engagement, and in serious cases may give rise to criminal liability and/or regulatory sanction.

B2. Key definitions

  • Personal data — any information relating to an identified or identifiable living individual
  • Special category data — sensitive data including health, mental health, genetic, biometric, racial, religious or sexual orientation data
  • Processing — any operation performed on personal data, including collection, storage, use, disclosure and deletion
  • Data subject — the individual to whom personal data relates
  • Data controller — the organisation that determines the purposes and means of processing
  • Data processor — a third party that processes data on the controller’s instructions
  • DPIA — Data Protection Impact Assessment, a risk assessment required for higher-risk processing activities
  • ROPA — Record of Processing Activities, our internal register of all data processing

B3. Data protection principles

CSC is committed to processing all personal data in accordance with the seven UK GDPR principles:

  • Lawfulness, fairness and transparency — data is processed only on a valid lawful basis and in a way that is transparent to data subjects
  • Purpose limitation — data is collected for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes
  • Data minimisation — only data that is adequate, relevant and limited to what is necessary is collected
  • Accuracy — data is kept accurate and up to date; inaccuracies are corrected promptly
  • Storage limitation — data is kept only as long as necessary for its purpose (see retention schedule in Part A, section 7)
  • Integrity and confidentiality — data is processed securely, protecting against unauthorised access, loss or destruction
  • Accountability — CSC maintains documentation to demonstrate compliance and keeps this policy under regular review

B4. Roles and responsibilities

  • Board / Director (Tom Magal) — overall accountability for data protection compliance; approval of this policy; Caldicott Guardian function
  • Data Protection Officer (Laura Yarranton) — day-to-day oversight of UK GDPR compliance; point of contact for data subjects and the ICO; maintenance of the ROPA; conducting or commissioning DPIAs; staff training coordination; breach notification
  • Registered Manager (Dr Teshk Nakshbandi) — clinical governance of data handling; ensuring clinical systems and records meet data protection requirements; supporting staff training in clinical contexts
  • All staff and contractors — adherence to this policy; completion of mandatory data protection training; prompt reporting of suspected breaches or near-misses to the DPO

B5. Lawful bases and special category conditions

CSC maintains a Record of Processing Activities (ROPA) that documents the purpose, data types, lawful basis and retention period for each category of processing. The ROPA is maintained by the DPO and reviewed at least annually.

The primary lawful bases relied upon are:

  • Article 6(1)(b) — performance of a contract (direct care services)
  • Article 6(1)(c) — legal obligation (regulatory, professional and statutory requirements)
  • Article 6(1)(f) — legitimate interests (clinical governance, quality improvement, business administration)
  • Article 6(1)(a) — consent (marketing communications)

For special category health data, the primary condition is Article 9(2)(h) (healthcare provision). For legal proceedings or vital interests, Articles 9(2)(f) and 9(2)(c) may apply.

B6. Information security

All staff must:

  • Use only systems and devices approved for processing CSC patient and business data
  • Never share login credentials
  • Lock screens when leaving workstations unattended
  • Use secure, encrypted channels when transmitting patient data (no unencrypted email for clinical information)
  • Store paper records securely and not remove them from the premises without authorisation
  • Report any security incidents, suspected breaches or lost or stolen devices immediately to the DPO

Remote access to CSC systems must be via an approved, encrypted connection. Use of personal devices for processing patient data is prohibited without prior written authorisation and appropriate security controls.

B7. Data breach management

A personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

All suspected or actual breaches must be reported to the DPO immediately. The DPO will:

  • Assess the severity and scope of the breach
  • Take immediate steps to contain the breach
  • Notify the ICO within 72 hours if the breach is likely to pose a risk to individuals’ rights and freedoms
  • Notify affected data subjects where required
  • Document the breach and remediation steps in the breach register

Failure to report a suspected breach is a serious disciplinary matter.

B8. Handling subject access and rights requests

Any request from a patient or other individual to exercise their data protection rights must be passed to the DPO immediately on receipt. Requests must be:

  • Acknowledged promptly
  • Verified (identity of the requester confirmed before disclosure)
  • Responded to within one calendar month (extendable by a further two months in complex cases, with notification to the requester)
  • Documented in the subject rights request log

There is no fee for Subject Access Requests unless they are manifestly unfounded or excessive.

B9. Data Protection Impact Assessments

A DPIA must be conducted before commencing any new processing activity that is likely to result in high risk to individuals, including:

  • Introduction of new clinical IT systems or significant changes to existing systems
  • Large-scale processing of special category data
  • Systematic monitoring of patients or staff
  • Any automated decision-making that produces legal or similarly significant effects

DPIAs are completed by the DPO in conjunction with the relevant operational lead and, where the residual risk remains high, submitted to the ICO for prior consultation.

B10. Third-party processors and data sharing

Before engaging any third party to process personal data on CSC’s behalf, the DPO must:

  • Verify that the processor has appropriate technical and organisational security measures in place
  • Ensure a written Data Processing Agreement (DPA) is in place that meets UK GDPR Article 28 requirements
  • Record the processor in the ROPA

Data may only be shared with other organisations where there is a clear lawful basis and, in the case of special category data, an appropriate Article 9 condition. Any ad hoc requests for data sharing (for example from police, solicitors or the media) must be referred to the DPO before any disclosure is made.

B11. Training and awareness

All staff must complete mandatory data protection training on commencement of employment or engagement and at least every two years thereafter. Training records are maintained by the DPO. Additional role-specific training may be required for staff with elevated access to clinical data.

B12. Monitoring and review

This policy is reviewed at least annually by the DPO and approved by the Director. It will be reviewed sooner in the event of significant changes to legislation, regulatory guidance, or CSC’s processing activities.

Compliance with this policy is monitored through regular data protection audits, system access reviews and staff supervision. The results of audits are reported to the Director.