GDPR Privacy Notice for Patients

Summary of Key Points

  • Courtyard Health Clinic collects and processes your personal information to provide safe, high-quality medical and occupational health services.
  • We only collect information that is necessary for your care and handle it securely in line with UK GDPR and the Data Protection Act 2018.
  • Your data may be shared with your GP, specialists, laboratories, insurers, or employers — but only with your explicit consent and only when relevant to your care.
  • We store your data in encrypted UK/EU servers via Semble, with strong security measures and role-based access.
  • You have rights to access, correct, restrict, or request deletion of your data (within legal and clinical boundaries).
  • We retain medical records for your lifetime plus 3 years after death, and occupational health records in line with statutory health and safety requirements.
  • Cookies are used on our website to improve user experience and functionality — you can manage preferences in your browser settings.

1. Who We Are

Courtyard Health Clinic is an independent private healthcare and occupational health practice founded by Dr Victoria McBride (MRCGP). We are registered with Healthcare Improvement Scotland as an independent provider and with the Information Commissioner’s Office (ICO) under registration number ZB968531. We are committed to protecting your privacy and handling your information lawfully, fairly, and transparently.

2. What Information We Collect

We collect information necessary for your care and clinic operations, including:
– Identity and contact details (name, date of birth, address, phone, email, next of kin)
– Medical history, medications, allergies, diagnoses, treatment notes, referrals, test results
– Appointment, billing, and payment details
– Occupational health information, job role, and assessments (if relevant)
– Special category data (e.g., health, disability, race, or religion where relevant to care)

3. How We Collect Information

We collect data directly from you when booking or attending appointments, completing forms, or contacting us by email or phone. We may also receive information from your GP, specialists, laboratories, employer, or insurer, but only with your consent.

4. Why We Use It and Legal Basis

We use your data to deliver healthcare services, manage appointments, communicate with you, issue reports, and meet legal obligations. The lawful bases under UK GDPR include:
– Article 6(1)(c): Legal obligation (e.g., medical record-keeping)
– Article 6(1)(f): Legitimate interests (e.g., clinic operations)
– Article 9(2)(h): Provision of health care or treatment (special category data)

We do not use your data for marketing without explicit consent.

5. Who We Share Information With

Your data is only shared when necessary, lawful, and proportionate. Possible recipients include:
– You (access to your own records)
– Internal clinical staff
– External healthcare providers (GPs, specialists, labs)
– Health insurers or employers (only with explicit consent)
– Regulators or authorities when legally required
– Semble Technology Ltd (our secure data processor, UK/EU based)

6. Data Storage, Transfers, and Security

Your records are stored electronically in encrypted UK/EU data centres managed by Semble (on AWS). We do not transfer data outside the UK/EEA unless appropriate legal safeguards are in place. Paper records, where used, are held securely in locked cabinets with restricted access.

7. How Long We Keep Your Data

We retain your medical and occupational health records in line with professional and legal standards:
– Adult medical records: Lifetime plus at least 3 years after death (BMA guidance)
– Occupational health records: Duration of employment plus 6 years or until age 75 (whichever comes first)
– Statutory health surveillance (e.g. COSHH, asbestos, lead, noise): Minimum 40 years from the last entry
– Staff/HR records: 6 years post-employment

Records are securely deleted or destroyed (electronically wiped or shredded) when no longer required.

8. How We Protect Your Data

We use encryption, firewalls, and strict access controls. Only authorised staff have access, and all users have unique logins with role-based permissions. All staff receive data protection and confidentiality training. Data breaches are investigated and reported to the ICO within 72 hours when required.

9. Cookies and Tracking Technologies

Our website uses cookies to improve user experience, analyse traffic, and ensure functionality. You can manage or disable cookies in your browser settings. For full details, please see our separate Cookie Policy at https://courtyardhealthclinic.com/cookiespolicy/.

10. Your Rights

You have rights under UK GDPR, including access, rectification, restriction, erasure (where appropriate), and data portability. You can also object to processing or withdraw consent where it applies. To exercise your rights, contact the Data Controller below.

11. Contact Details and Complaints

Data Controller: Dr Victoria McBride
Courtyard Health Clinic
Suite 2, Eskmills, Musselburgh, EH21 7PB
Telephone: 0131 297 6655
Email: admin@courtyardhealthclinic.com
Website: www.courtyardhealthclinic.com

If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO):
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Email: casework@ico.org.uk
Website: www.ico.org.uk

12. Updates to This Privacy Notice

This notice was last updated on 16 October 2025. It will be reviewed regularly and updated whenever our data practices or legal requirements change. The latest version will always be available on our website.