Privacy Policy

Health for Life Clinics Ltd is committed to protecting the privacy, confidentiality and security of all personal and sensitive data in accordance with the highest professional and legal standards. We recognise that maintaining patient and client confidentiality is fundamental to the trust relationship in healthcare.

This policy establishes clear procedures for the lawful, fair and transparent handling of personal data in compliance with:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • Health and Social Care Act 2008 (Regulated Activities) Regulations 2014

  • CQC Regulation 17: Good Governance

  • Common Law Duty of Confidentiality

  • Human Rights Act 1998 (Article 8: Right to respect for private and family life)

  • Professional body guidance (GMC: Confidentiality; NMC: The Code; HCPC: Standards of Conduct)

Scope and Application

This policy applies to:

  • All staff employed by or contracted to Health for Life Clinics Ltd

  • All members of the multidisciplinary team

  • Third-party service providers processing data on our behalf

  • All personal data processed in connection with Health for Life services

  • Both individual patients and corporate clients

Definitions

Personal Data: Any information relating to an identified or identifiable living individual (data subject). This includes names, contact details, NHS numbers, date of birth, and unique identifiers.

Special Category Data (Sensitive Personal Data): Personal data requiring extra protection under GDPR Article 9, including:

  • Data concerning health (physical or mental health, provision of healthcare, health status)

  • Genetic data (inherited or acquired genetic characteristics)

  • Biometric data (fingerprints, facial recognition, retinal scans)

  • Racial or ethnic origin

  • Sexual orientation

Data Controller: Health for Life Clinics Ltd determines the purposes and means of processing personal data.

Data Processor: Third-party organisations that process personal data on behalf of Health for Life Clinics Ltd (e.g., Semble, laboratory services, IT support providers).

Data Subject: The individual to whom personal data relates (patients, employees, corporate client employees).

Processing: Any operation performed on personal data including collection, recording, organisation, storage, adaptation, retrieval, consultation, disclosure, dissemination, restriction, erasure or destruction.

Confidential Information: Information provided in circumstances where there is an expectation of privacy, including all patient health information and commercially sensitive corporate client information.

Data Protection Principles

All personal data processed by Health for Life Clinics Ltd must comply with the six UK GDPR data protection principles:

Lawfulness, Fairness and Transparency

Personal data must be processed lawfully, fairly and in a transparent manner. We rely on the following lawful bases:

  • Explicit Consent: Where patients provide informed, freely given, specific consent for data processing (documented in consent forms)

  • Contract: Processing necessary for the performance of contracts with patients or corporate clients

  • Legal Obligation: Processing required to comply with legal obligations (CQC notifications, safeguarding reporting, court orders)

  • Vital Interests: Processing necessary to protect life in emergency situations

  • Legitimate Interests: Processing necessary for legitimate business purposes where not overridden by individual rights (service improvement, audit, clinical governance)

  • Public Interest / Healthcare Provision: Processing necessary for preventive or occupational medicine, medical diagnosis, provision of health or social care, or management of healthcare systems (GDPR Article 9(2)(h))

Patients are informed about data processing through our Patient Privacy Notice, available at registration and on our website. Corporate clients receive separate privacy notices explaining how employee health data is processed.

Purpose Limitation

Personal data is collected only for specified, explicit and legitimate purposes. Data will not be further processed in a manner incompatible with those purposes. Primary purposes include:

  • Provision of healthcare services (assessment, diagnosis, treatment, care planning)

  • Health and safety monitoring for corporate clients (occupational health services)

  • Clinical governance and quality improvement

  • Regulatory compliance (CQC, GMC, ICO)

  • Financial administration (billing, invoicing, payment processing)

  • Communication with patients and referring clinicians

  • Research and audit (with appropriate consent or anonymisation)

Data Minimisation

Only personal data that is adequate, relevant and limited to what is necessary is collected and processed. Clinical staff are trained to record only information essential for patient care, service delivery, and legal compliance. Excessive or irrelevant information is not retained.

Accuracy

Personal data must be accurate and kept up to date. Measures to ensure accuracy include:

  • Verification of patient details at each appointment

  • Correction of inaccuracies without delay

  • Patient rights to request amendment of inaccurate data

  • Regular data quality audits

Storage Limitation

Personal data is retained only for as long as necessary for the purposes for which it was collected. Retention periods are:

  • Adult Patient Records: Minimum 8 years from last contact (or 8 years after death if sooner)

  • Staff Records: 6 years after employment ends

  • Financial Records: 6 years from end of financial year

  • Governance Records: Indefinitely or as required by regulation

Data is securely destroyed when no longer required, in accordance with our Records Management and Retention Schedule.

Integrity and Confidentiality (Security)

Personal data must be processed securely using appropriate technical and organisational measures to protect against unauthorised or unlawful processing, accidental loss, destruction or damage. See Section 8 for detailed security measures.

Principle 7: Accountability

Health for Life Clinics Ltd is responsible for demonstrating compliance with all data protection principles through appropriate documentation, policies, training, and auditing.

Confidentiality and Professional Duty

Common Law Duty of Confidentiality

All staff owe patients a common law duty of confidentiality. Information provided by or about patients in the course of their healthcare must be kept confidential unless:

  • The patient consents to disclosure

  • Disclosure is required by law

  • Disclosure is justified in the public interest

  • Disclosure is necessary to protect others from serious harm

Professional Obligations

Healthcare professionals must adhere to their regulatory body guidance:

  • GMC: Confidentiality: good practice in handling patient information (2017)

  • NMC: The Code (2018) – Respect people's right to privacy and confidentiality

  • HCPC: Standards of conduct, performance and ethics – Respect confidentiality

Corporate Client Confidentiality

When providing occupational health or corporate wellness services, confidentiality operates at two levels:

  • Individual Confidentiality: Employee health information is kept confidential from the employer. Clinical details are not disclosed to corporate clients without explicit employee consent.

  • Management Information: Where contractually appropriate, anonymised or aggregate data may be provided to corporate clients to support health and safety obligations, provided no individual can be identified.

The scope of information sharing with corporate clients is clearly defined in:

  • Written agreements between Health for Life Clinics Ltd and the corporate client

  • Privacy notices provided to individual employees

  • Specific consent forms for any disclosure of individual health information

Confidentiality in Practice

Staff must maintain confidentiality through:

  • Not discussing patient information in public areas or outside work

  • Ensuring conversations cannot be overheard

  • Securing physical records when not in use

  • Locking computers when away from desk

  • Using secure methods for transmitting patient information

  • Not accessing records unless required for legitimate work purposes

  • Challenging unauthorised attempts to access patient information

Patient and Data Subject Rights

Under UK GDPR, individuals have the following rights:

Right to Be Informed

Patients and data subjects are informed about data processing through clear and transparent privacy notices, provided at registration and available on our website. Privacy information explain what data is collected, why, how it is used, who it is shared with, and how long it is retained.

Right of Access (Subject Access Request)

Individuals have the right to access their personal data. Subject Access Requests (SARs) are managed as follows:

  • Timeframe: Respond within one calendar month of receipt

  • Fee: Free of charge (unless manifestly excessive or repetitive)

  • Verification: Identity of requester must be verified before disclosure

  • Third Party Information: Information relating to third parties must be redacted unless consent is obtained

  • Format: Provided in commonly used electronic format unless paper copy requested

  • Requests: Must be made in writing to compliance@healthforlife.clinic or by post to the registered address

  • Occupational Health Context: Where processing occupational health data, the right of access applies. However, disclosure may be refused if it would cause serious harm to the physical or mental health of the data subject or another individual. Such decisions are made by an appropriate health professional.

Right to Rectification

Individuals have the right to have inaccurate personal data corrected. Where feasible, corrections should be actioned immediately upon request. For clinical records, corrections are made by adding amendments rather than deleting original entries, in accordance with good record-keeping practice.

Right to Erasure (Right to be Forgotten)

Individuals have the right to request erasure of their personal data in certain circumstances. However, this right is limited where processing is necessary for:

  • Compliance with legal obligations (e.g., record retention requirements)

  • Establishment, exercise or defence of legal claims

  • Archiving purposes in the public interest

  • Healthcare records must be retained for minimum periods as specified in Section 4.5. Erasure requests that conflict with legal retention obligations will be refused with explanation.

Right to Restrict Processing

Individuals may request restriction of processing where accuracy is contested, processing is unlawful but erasure is refused, or where data is required for legal claims. Restricted data can be stored but not further processed without consent (except for legal claims or protection of others).

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, individuals have the right to receive their personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. We provide data in PDF and CSV formats where requested.

Right to Object

Individuals have the right to object to processing based on legitimate interests or for direct marketing purposes. Where objection is raised, processing ceases unless compelling legitimate grounds override individual interests. Occupational health processing under Article 9(2)(h) may not be subject to objection where necessary for employment or social security purposes.

Rights in Relation to Automated Decision Making

Health for Life Clinics Ltd does not engage in automated decision-making or profiling that produces legal or similarly significant effects. All clinical decisions involve human judgement and professional expertise.

Information Sharing and Disclosure

Sharing with Consent

Patient information is shared with other healthcare professionals only with explicit patient consent. Consent for information sharing is documented using our Consent Form, which specifies:

  • What information will be shared

  • With whom it will be shared (specific individuals or organisations)

  • Why it needs to be shared

  • Duration of consent (time-limited or ongoing)

Sharing Without Consent (Legal Basis)

Information may be disclosed without consent in the following circumstances:

  • Legal Obligation: Where required by law (court orders, statutory notifications to CQC, reporting notifiable diseases to Public Health England)

  • Safeguarding: To prevent or detect serious crime, or to protect vulnerable adults or children from risk of serious harm

  • Public Interest: Where disclosure is necessary to prevent serious harm to others (terrorism, serious violent crime)

  • Vital Interests: In emergency situations where consent cannot be obtained and disclosure is necessary to protect life

All disclosures without consent are:

  • Documented in the patient record

  • Limited to information strictly necessary for the purpose

  • Reviewed by senior clinical staff where possible

  • Communicated to the patient unless this would undermine the purpose or place others at risk

Secure Information Transfer

All sharing of patient information uses secure methods:

  • Semble Clinical Portal: Secure clinical messaging for correspondence with other healthcare providers

  • Encrypted Email: For sensitive information sent to non-NHS email addresses

  • Secure Post: Marked 'Private and Confidential' for paper correspondence

  • Never: Unencrypted email containing identifiable patient information, social media, text messages, or WhatsApp

Corporate clients receive management reports via secure encrypted channels agreed in data processing agreements.

Disclosure to Corporate Clients

Where Health for Life Clinics Ltd provides occupational health services to corporate clients:

  • Individual clinical details are NOT disclosed to employers without explicit employee consent

  • Management reports contain only: fitness-for-work recommendations, workplace adjustments, and aggregate anonymised data

  • Employees are clearly informed at assessment what information will be shared with their employer

  • All data processing agreements with corporate clients specify confidentiality obligations and permitted disclosures

Information Security Measures

Health for Life Clinics Ltd implements comprehensive technical and organisational measures to ensure information security:

Technical Security Measures

Secure Clinical Information System: Semble (ISO 27001 certified, UK GDPR compliant, cloud-based)

Encryption: All data transmitted and stored is encrypted (TLS 1.2+ for transmission, AES-256 for storage)

Access Controls: Role-based access permissions ensuring staff only access information required for their role

Authentication: Strong password policies (minimum 12 characters, complexity requirements) and multi-factor authentication for system access

Audit Trails: Complete audit logs of all system access, data views, modifications and deletions

Automatic Logout: Systems automatically lock after 10 minutes of inactivity

Data Backups: Automated daily backups with encrypted off-site storage; tested quarterly

Antivirus and Firewall: Enterprise-grade protection with automatic updates

Secure Disposal: Data securely deleted using overwrite methods; physical media destroyed through certified destruction services

Device Security: All devices encrypted, password-protected, and configured with remote wipe capability

Organisational Security Measures

Access Management: User accounts created only for authorised personnel; immediately deactivated upon termination

Staff Training: Mandatory annual training in data protection, information security and confidentiality for all staff

Confidentiality Agreements: All staff, contractors and temporary workers sign confidentiality agreements

Physical Security: Controlled access to premises; visitor log; secure storage for physical records

Clear Desk Policy: No patient-identifiable information left visible when workstations unattended

Data Protection Impact Assessments (DPIAs): Conducted for new processing activities that pose high risk

Privacy by Design: Data protection principles embedded in all new systems and processes

Incident Response Plan: Documented procedures for responding to data breaches and security incidents

Regular Audits: Quarterly audits of access logs, annual information governance audits

Third-Party Data Processors

Health for Life Clinics Ltd engages third-party processors who may handle patient data:

Due Diligence and Contracts

Before engaging any data processor, we:

  • Conduct due diligence to ensure appropriate technical and organisational security measures

  • Review arrangements annually and following any significant incidents

Current Data Processors

Our key data processors include:

  • Semble Ltd: Clinical information system (ISO 27001 certified, UK-based servers)

  • SignatureRx: Electronic prescribing platform (UK GDPR compliant)

  • Laboratory Services: External laboratories for diagnostic testing provided by The Doctors Laboratory (ISO/ISE 27001 certified)

  • Accountancy and Legal Services: Professional advisers with regulatory confidentiality obligations

A complete register of data processors is maintained by the Registered Manager.

International Data Transfers

Health for Life Clinics Ltd does not routinely transfer personal data outside the UK. Where international transfers are necessary, we ensure appropriate safeguards are in place (Standard Contractual Clauses, adequacy decisions, binding corporate rules) and document transfers in our Records of Processing Activities.

Data Breaches and Incident Management

What Constitutes a Data Breach

A personal data breach is any security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Examples include:

  • Loss or theft of devices containing patient data

  • Unauthorised access to clinical systems

  • Disclosure to incorrect recipient (wrong patient, wrong GP, wrong employer)

  • Ransomware or cyber-attack

  • Loss of paper records

Reporting and Response

All staff must report suspected data breaches immediately:

  • Immediate Action: Contain the breach (e.g., retrieve misdirected email, secure compromised system)

  • Report: Notify the Registered Manager immediately (compliance@healthforlife.clinic)

  • Investigation: Registered Manager investigates and assesses severity

  • Documentation: All breaches recorded in Data Breach Log with details of incident, individuals affected, actions taken

  • Learning: Root cause analysis, implementation of preventive measures, staff training updates

Notification Requirements

ICO Notification:

Breaches likely to result in risk to individuals' rights and freedoms must be reported to the Information Commissioner's Office within 72 hours of becoming aware. High-risk breaches (those likely to result in serious harm, discrimination, significant financial loss, or reputational damage) are reported without delay.

Data Subject Notification:

Where a breach is likely to result in high risk to individuals, those affected are notified directly without undue delay. Notification includes:

  • Description of the breach

  • Likely consequences

  • Measures taken to mitigate harm

  • Contact details for further information

Records Management

Record Quality Standards

All patient records must meet the following standards:

  • Contemporaneous: Recorded at the time of, or as soon as practicable after, the event

  • Accurate: Factual, consistent and legible

  • Attributed: Author, role, date and time clearly identified

  • Comprehensive: Include all relevant information (assessment, diagnosis, treatment plan, consent, communications)

  • Professional: Objective, respectful language avoiding abbreviations unless standardised

  • Secure: Stored securely with appropriate access controls

Record Retention

Records are retained in accordance with professional guidelines and legal requirements as specified in Section 4.5 (Storage Limitation). A Records Retention Schedule is maintained documenting:

  • Type of record

  • Retention period

  • Justification for retention period

  • Disposal method

  • Person responsible

Record Disposal

At the end of the retention period, records are securely destroyed:

  • Electronic Records: Secure deletion using data overwrite methods; deletion logged in audit trail

  • Paper Records: Confidential shredding or incineration by certified destruction services; certificate of destruction retained

  • Media: Physical destruction of hard drives, USB drives, CDs using certified destruction services

Corporate Client Data Processing

When Health for Life Clinics Ltd provides occupational health or corporate wellness services, additional data protection considerations apply:

Legal Basis for Processing

Processing of employee health data for occupational health purposes relies on GDPR Article 9(2)(h):

"Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

This lawful basis permits processing without explicit consent where necessary for occupational health purposes, subject to appropriate safeguards (professional secrecy obligations, data protection impact assessments, clear privacy notices).

Tripartite Relationship

The occupational health relationship involves three parties:

  • Employee (Data Subject): Individual whose health data is processed

  • Corporate Client (Joint/Separate Controller): Employer commissioning occupational health services

  • Health for Life Clinics Ltd (Controller/Processor): Providing occupational health services

Data controller responsibilities are clearly defined in written agreements with corporate clients, specifying respective obligations and permitted data uses.

Confidentiality Framework

Clinical Information:

Clinical details (diagnosis, treatment, symptoms, test results, medications) remain strictly confidential to healthcare professionals. This information is NOT disclosed to employers without explicit written consent from the employee.

Management Information:

Employers receive only:

  • Fitness for work assessment (fit, fit with adjustments, temporarily unfit, permanently unfit)

  • Specific workplace adjustments recommended

  • Anticipated timeframes for review (without clinical reasons)

  • Aggregate anonymised data for health surveillance where contractually agreed

Employees are informed verbally and in writing what information will be shared with their employer, and consent is obtained for any disclosure beyond standard management recommendations.

Employee Rights

Employees whose data is processed for occupational health purposes retain all UK GDPR rights:

  • Right to transparent information about data processing

  • Right to access their occupational health records

  • Right to rectification of inaccurate data

  • Right to restriction where appropriate

  • Right to complain to the ICO

Employees can exercise their rights by contacting Health for Life Clinics Ltd directly at compliance@healthforlife.clinic.

Data Processing Agreements

All corporate client arrangements are governed by written Data Processing Agreements (DPAs) or similar contracts that specify:

  • Scope and purpose of data processing

  • Types of personal data processed

  • Duration of processing

  • Controller and processor responsibilities

  • Security measures required

  • Subprocessor arrangements

  • Data breach notification procedures

  • Audit rights

  • Data return or destruction on termination

Training and Awareness

Mandatory Training

All staff complete mandatory training in:

  • Data Protection and UK GDPR: Annual refresher covering principles, rights, obligations

  • Information Governance: At induction and annually, covering confidentiality, secure information handling, incident reporting

  • Cyber Security: Annual training in recognising phishing, social engineering, malware threats

  • Role-Specific Training: Additional training for staff with specific responsibilities (e.g., handling SARs, conducting DPIAs, processing occupational health data)

Competency Assessment

Training compliance is monitored through central training records. Competency assessments are conducted annually as part of appraisal processes. Non-compliance with mandatory training may result in disciplinary action and restriction of system access.

Awareness Activities

Data protection awareness is maintained through:

  • Regular updates at team meetings and MDT governance meetings

  • Policy reminders and guidance documents available via Semble

  • Learning from incidents and near-misses shared with all staff

  • Data Protection Week activities and communications

Governance and Accountability

Roles and Responsibilities

Registered Manager (Dr M Terblanche):

  • Ultimate accountability for data protection compliance

  • Oversight of information governance systems

  • Decision-maker for complex data protection issues

  • Liaison with ICO and regulatory bodies

  • Approval of policies and significant changes

All Clinical Staff:

  • Maintain professional confidentiality obligations

  • Record accurate, contemporaneous patient records

  • Obtain and document appropriate consent

  • Report data breaches and security incidents immediately

  • Complete mandatory training

Administrative Staff:

  • Manage secure information flows

  • Maintain Records of Processing Activities

  • Support audit and compliance activities

Documentation and Records of Processing

Health for Life Clinics Ltd maintains comprehensive Records of Processing Activities (ROPA) documenting:

  • Purposes of processing

  • Categories of data subjects and personal data

  • Categories of recipients

  • International transfers (if applicable)

  • Retention periods

  • Security measures

Audit and Monitoring

Data protection compliance is monitored through:

  • Quarterly Access Audits: Review of system access logs to detect unauthorised access

  • Annual Policy Review: Review and update of all data protection policies

  • Monthly Consent Audits: Audit of consent documentation quality

  • Annual Information Governance Audit: Comprehensive review of information governance arrangements

  • Incident Reviews: All data breaches reviewed with lessons learned

  • MDT Governance Meetings: Data protection standing agenda item at monthly meetings

Audit findings are reported at governance meetings with action plans for any identified deficiencies.

ICO Registration

Health for Life Clinics Ltd is registered with the Information Commissioner's Office (ICO) as a data controller. The annual registration fee is paid and the ICO registration is kept up to date with any changes to processing activities, contact details or organisational structure.

Compliance with CQC Regulation 17

This policy supports compliance with CQC Regulation 17 (Good Governance) by ensuring:

  • Systems and processes are established to assess, monitor and improve quality and safety

  • Accurate, complete and contemporaneous records are maintained

  • Records are stored securely and can be located promptly when needed

  • Appropriate information is provided to service users

  • Service users' confidential information is protected

  • Effective data protection systems mitigate risks to service users

Related Policies

This policy should be read in conjunction with:

  • Good Governance Policy

  • Consent Policy

  • Complaints Policy

References and Legal Framework

Legislation:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • Health and Social Care Act 2008 (Regulated Activities) Regulations 2014

  • Human Rights Act 1998

  • Common Law Duty of Confidentiality

  • Data Protection (Charges and Information) Regulations 2018

Regulatory Guidance:

  • CQC: Regulation 17 – Good Governance

  • CQC: Code of Practice on Confidential Personal Information

  • Information Commissioner's Office: Guide to the UK GDPR

  • Information Commissioner's Office: Guide to Data Protection

  • National Data Guardian: Data Security Standards

Professional Guidance:

  • GMC: Confidentiality: good practice in handling patient information (2017)

  • NMC: The Code (2018)

  • HCPC: Standards of conduct, performance and ethics

  • BMA: Confidentiality and disclosure of health information toolkit

  • Department of Health: Records Management Code of Practice

  • NHS Digital: Records Management Code of Practice for Health and Social Care

Monitoring and Review

This policy is:

  • Reviewed annually as a minimum

  • Updated following significant incidents, data breaches or near misses

  • Revised when legislation, guidance or best practice changes

  • Amended following CQC inspection feedback or ICO guidance

  • Modified when operational changes affect data processing activities

All staff are notified of policy updates and required to read and acknowledge updated versions.

For queries about this policy, contact:

Email: compliance@healthforlife.clinic