Data Protection Policy

This policy applies to all permanent, temporary or contracted staff who can access patient information under supervision. To fulfil its purpose and meet legal obligations, this clinic needs to hold certain types of information about the people it deals with.

This includes employees, patients and suppliers. This information, whether on paper, computerised or recorded in some other way, must be collected, stored and used properly.

We are committed to complying with the Data Protection Act (1998) to preserve:

  • Confidentiality
    • protecting sensitive information from unauthorised disclosure
  • Integrity
    • safeguarding the accuracy and completeness of information
  • Availability
    • ensuring that information and vital services are available to authorised users

Any person identifiable information processed on our behalf is held, obtained, received, used, disclosed, shared, destroyed or transmitted in a secure environment.

All staff are made aware of the key principles of data protection legislation. The DPA 1998 is discussed at induction as part of record keeping and further training should be made available as new policies and procedures are bought into practice. Failure to comply with this policy, and / or to demonstrate compliance will be regarded as a disciplinary offence.

We follow 8 key principles of the Data Protection Act 1998, which are:

  1. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose.
  2. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is being processed.
  3. Personal data shall be processed fairly and lawfully.
  4. Personal data shall be accurate and where necessary kept up to date.
  5. Personal data processed for any purpose shall not be kept for longer than necessary.
  6. Personal data shall be processed in accordance with the rights of data subjects under this act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of that data.

At this clinic, we keep records regarding health and any treatment and care we carry out. Any personal and medical information we record is encrypted and stored remotely in the cloud by Heydoc, a specialist patient management system.

The records may include the following:

  • Basic personal details such as address and next of kin
  • Details of previous clinic visits
  • Notes and reports regarding your health and any treatment and care you have received or may need
  • Results of investigations, such as x-rays and laboratory tests
  • Relevant information from other health care professionals
  • Details of any allergies or any difficulties with any past treatment
  • How your records are used to help you

Information may be used to assist us:

  • Review the care we provide to ensure that it is of the highest standard
  • To investigate adverse incidents or complaints
  • To ensure that our services meet the needs of patient in the future
  • To prepare statistics on performance

All staff employed at the practice have a legal duty to ensure that all information regarding patient is maintained in an entirely confidential manner.  Any person receiving information from us is also under a legal obligation to ensure that this information is maintained confidentially.  We will not disclose information to your family carers or friends regarding your medical care unless we have your consent to do so. Our guiding principle is that we are holding records in the strictest confidence.

How can patients can obtain access to their health records

The Access to Health Records Act 1990 and Data Protection Act 19998 are the main statutory provisions that govern the release of medical records.  Should patients wish to view their medical records, they need to ask a member of the reception team who will contact the registered manager.

Examples of when information may need to be passed on to others

  • When others involved in client care have a genuine need for the information
  • In exceptional circumstances where the health and safety of others is at risk or where the law requires information to be passed on
  • When information is required for national registries
  • We are required by law to report certain information to the appropriate authorities

General Principles of Confidentiality

Need to Know

Access to files containing medical or other confidential information should be limited to those individuals who have a proper business reason for needing it.  You should be able to justify the purpose(s) for using patient, resident, or patient identifiable information in the first instance.  Once a file has been accessed, the user should read only what is relevant to the job in hand.

This principle should be applied without regard to rank or position. I.e. a nurse may need to know information concerning a patient to safely provide nursing care; a senior manager will not need to know the same information but may need to know the gender and age for statistical purposes.


Use patient, identifiable information only when it is necessary.

Numbers not Names

Use the minimum information possible.  I.e. If a patient, can be satisfactorily identified using a numerical identifier then it is preferable to using initials and date of birth which in turn is preferable to using a full name which in turn is preferable to using a name and address.

Careless Talk

Never casually discuss confidential details of identifiable individuals with anyone within or outside of the company.


If in doubt do not disclose


Back to Clinic Policies and Documents