GDPR Privacy Notice for Patients

Effective Date: 01 May 2025
Review Date: 01 August 2026
Data Controller: Dr Victoria McBride
ICO Registration Number: ZB968531

1. Introduction

This Privacy Notice explains how Courtyard Health Clinic collects, uses, and protects your personal information when providing healthcare and related administrative services. We are committed to handling your information in line with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, Caldicott Principles, and Healthcare Improvement Scotland (HIS) standards.

2. Who We Are

Courtyard Health Clinic Limited
Hercules House, Eskmills, Station Road, Musselburgh, EH21 7PB
Email: hello@courtyardhealthclinic.com
Website: www.courtyardhealthclinic.com
Telephone: 0131 297 6655

Data Controller: Dr Victoria McBride, Clinical Director & Safeguarding Lead

3. Legal Basis for Processing Your Data

We process your personal and health data lawfully, fairly, and transparently under:
– Article 6(1)(c) – processing is necessary for compliance with a legal obligation.
– Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, or the provision of health or social care.

This includes providing clinical care, occupational health assessments, liaising with insurers or employers (with consent), maintaining records, and meeting regulatory duties.

4. What Information We Collect

We collect and store only the information necessary to provide safe, effective care. This includes:
– Personal and contact details (name, DOB, address, contact info, NHS GP, next of kin)
– Medical information (history, medications, allergies, test results, appointment notes, reports)
– Administrative details (appointments, payments, consent forms)

We may also record special category data such as details relating to physical or mental health, disability, pregnancy, or other sensitive information.

5. How We Collect Information

We may collect information from:
– You directly (in person, by telephone, email, or online)
– Your employer (if referring you for occupational health services)
– Health insurers arranging or funding your care
– Other healthcare providers (with your consent)
– Laboratories or diagnostic services used for your treatment

6. How We Use Your Information

Your information is used to:
– Deliver safe, high-quality healthcare
– Manage appointments, billing, and communication
– Provide reports to your employer, insurer, or GP (with consent)
– Maintain clinical and administrative records
– Audit and improve our services

We do not use your data for marketing or share it with third parties for commercial purposes.

7. Information Sharing

We only share relevant information when it is lawful and necessary. This may include sharing with:
– Your NHS GP or other healthcare professionals
– Laboratories and diagnostic providers
– Your health insurer (if applicable)
– Your employer (for occupational health purposes, with your consent)

All sharing is done securely and in accordance with Caldicott Principles: minimum necessary, need-to-know basis, justified use.

8. Data Storage, Retention, and Security

Your data is stored securely on encrypted systems with access controls and two-factor authentication.
– Electronic records: Stored in Semble (encrypted, role-based access)
– Paper records: Locked cabinets with restricted access

Retention periods:

  • Adult patient medical records: Kept for the patient’s lifetime and at least 6 years after the last entry or 3 years after death (whichever is longer).
  • Occupational health records (for employees): Kept for the duration of employment plus 6 years, or until the employee’s 75th birthday (whichever comes first).
  • Statutory health surveillance records (e.g. exposure to chemicals, asbestos, lead, noise): Kept for a minimum of 40 years from the date of the last entry, as required by law.
  • Staff/HR records: Kept for 6 years after employment ends (7 years if preferred for consistency).

Disposal:
– Paper: Cross-shredding or licensed confidential waste provider
– Electronic: Secure deletion with certified data destruction methods

9. Your Rights

Under UK GDPR, you have the right to:
– Access your data
– Rectify inaccuracies
– Request erasure (where legally permitted)
– Restrict or object to processing
– Request data portability

To exercise these rights, contact the Data Controller listed below.

10. Data Breach and Incident Reporting

Courtyard Health Clinic takes data breaches extremely seriously. Any suspected breach will be investigated immediately and reported to the Information Commissioner’s Office (ICO) within 72 hours where required. Patients affected will be informed.

11. Contact Details

Data Controller:
Dr Victoria McBride
Courtyard Health Clinic, Hercules House, Eskmills, Station Road, Musselburgh, EH21 7PB
Email: hello@courtyardhealthclinic.com
Telephone: 0131 297 6655

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Website: www.ico.org.uk

12. Review and Updates

This notice will be reviewed annually or sooner if legislation or operational practices change. Updates will be published on our website and available upon request.

Approved by: Dr Victoria McBride, Clinical Director & Safeguarding Lead

Issue Date: 01 May 2025    Review Date: 01 August 2026