You are here:
Home » Patient Private Policy
Patient Privacy Notice
This Patient Privacy Notice describes how we, Gatehouse Health, collect and use personal data relating to our Patients (i.e. individuals who attend or who have previously attended Gatehouse Health for health advice and treatment). It also covers our use of personal data relating to Prospective Patients (i.e. individuals who enquire about or express an interest in the services offered by Gatehouse Health) with whom we may communicate (such as over our website or by email). We also refer in this notice to Patients and Prospective Patients as ‘you’.
We are required by data protection law to give you the information in this Privacy Notice. It is important that you read the Privacy Notice carefully, together with any other information that we might give you from time to time about how we collect and use your personal data.
We also have a Children’s Privacy Notice aimed at Patients who are children. Depending on the maturity of the child, the child should read this, or parents (or carers) should talk it through with their child, if appropriate. Please contact us to request this, if needed (see contact details below).
This Privacy Notice applies from 21st April 2024 and supersedes any previous versions. We may update this Privacy Notice at any time.
Who is the controller?
Gatehouse Health is the ‘controller’ for the purposes of data protection law (also referred to in this notice as ‘we’ or ‘us’). This means that we are responsible for deciding how we hold and use personal data about you. We can be contacted as follows: Gatehouse Health, 85 High Street, Battle, East Sussex, TN33 0AQ. Email: reception@gatehousehealth.co.uk Tel: 01424481869.
What is personal data?
Personal data means any information relating to a living individual who can be identified (directly or indirectly), in particular by reference to an identifier (e.g. name, email address, physical features). Personal data can be factual (e.g. contact details or age), an opinion or assessment about an individual, or information that may otherwise impact that individual in a personal or business capacity.
Data protection law provides additional protection for personal data about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sex life or sexual orientation, criminal convictions or offences, biometrics (if used for identification purposes), or genetics. This is referred to as special category data. We refer to personal data that is not special category data as ordinary personal data.
What type of personal data do we hold about you?
We hold personal data about you in order to provide our services, including, for example: name, contact details, age or date of birth, your requirements for our services, related biographical and background information relevant to our services, records of the services we have provided, and associated payments.
This includes special category data relevant to our services, including: background medical information and health details from you, information about our assessments and treatments for you, and other information about your health which is collected or recorded by us in providing our services.
If you are a Prospective Patient, we may hold your name and contact details, and other information relating to your enquiry or our communications with you.
If you visit our premises, we may also collect images of you via our CCTV system.
Why do we hold your personal data and on what legal grounds?
We hold and use your personal data for the purposes of providing our services, responding to your enquiries, and for sending you related communications.
We also use CCTV outside our premises to assist with the security of our premises.
Both during and following the end of our relationship with you, we may retain your personal data in case it is needed to address enquiries from you, or to address any concerns or legal issues relating to our services or our business. See also below: How long do we keep your personal data?
Data protection law requires us to have a legal ground for each use of personal data. Most commonly, we rely on the following legal grounds when we process your personal data.
- Where we need to process your data to perform the contract we have entered into with you for the provision of our services (performance of the contract). This would apply for most of our activities, for example, collecting background information about you (including health details), maintaining records of [our assessments, treatment and services], managing payments from you, and communicating with you in relation to our services.
- Where we need it to comply with a legal obligation (legal obligation). This may include where law enforcement authorities require us to collect, use or share personal data, or where necessary to comply with other laws.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (legitimate interest). This may include, for example, using your data to respond to any enquiries, use of our CCTV system, and retaining or using your data to exercise or defend any legal claims, or otherwise to protect our legal rights.
- Where we have obtained your specific consent. [We will seek your consent before using your contact details to send you direct marketing communications (which you have not otherwise specifically requested from us).]
We are required to have an additional legal ground in order to use data relating to your health (because it is special category data). As healthcare professionals, the applicable legal ground is that our use of health data is necessary to provide our health care and treatment services.
In exceptional circumstances, we may also use personal data (including special category data) where needed to protect your vital interests or those of another person, to detect or prevent unlawful acts, to establish, exercise or defend legal claims, or where it is in the public interest in the area of public health.
How do we collect your personal data?
You provide us with most of the personal data about you that we hold and use. Other personal data about you is generated by us in the course of providing our services, for example records of our assessments and treatments, and information within internal communications or communications with you.
Some of the personal data about you that we hold and use may come from external sources. For example: if you have had previous treatment, we may, with your consent, request records from your previous healthcare provider.
If you give us someone else’s personal data
Sometimes, you might provide us with another person’s personal data – e.g. details of a family member or next of kin. In such cases, we require you to inform the individual what personal data of theirs you are giving to us. You must also give them our contact details and let them know that they should contact us if they have any queries about how we will use their personal data [or, if we ask you to do so, you must pass on to them a separate privacy notice in which we explain what we do with their personal data that we receive from you][, although we may also provide them with a specific privacy notice to give them this information].
If you are a parent or carer providing information about a child, please also see our Children’s Privacy Notice.
Who do we share your personal data with?
We may share relevant personal data with the following parties (and our legal grounds for doing so are described in brackets).
- Legal authorities or regulatory bodies, our legal and professional advisors or auditors, or other parties where we are required by law to do so (for compliance with a legal obligation, or otherwise in our legitimate interests to protect or enforce our rights, or to exercise, establish or defend legal claims).
- Prospective or actual purchasers or our organisation or our business (in the legitimate interests of the purchaser).
- Other parties with your consent (for example if you give your consent to share your records with another healthcare provider).
- Other parties where necessary to protect your rights and interests, or the rights or interests of another individual (in our legitimate interests, or for compliance with la legal obligation).
- Our service providers may also handle your data, such as providers of Cliniko (online patient management system) and MailChimp (online email management system). They act as processors on our behalf, meaning that we remain primarily responsible for how they use your data in line with the purposes and lawful bases identified in this Privacy Notice.
Consequences of not providing personal data
We only ask you to provide personal data when we have a good reason and there may therefore be consequences if you do not provide particular information to us.
Some of the personal data you provide to us, for example background information about you, is required in order for us to provide our services effectively and to perform our contract with you.
If you choose not to provide us with any personal data requested, we will tell you about the particular implications of any such decision at the relevant time.
How long will we keep your personal data?
We will not keep your personal data for longer than we need it for our legitimate purposes.
If you are a Patient, we generally keep records relating to our services to you (and associated assessments and treatment) of for 8 years from the date of your last visit to us. (For Patients who are children, we generally keep these records until their 25th birthday, or 26th birthday if the Patient was 17 at the conclusion of treatment.)
If you are a Prospective Patient, we generally keep records of our communications with you for a period of 3 months following our last communication with you. Note that you also have the right to withdraw any consent you have given, and to object to use of your data for direct marketing purposes (see ‘Your rights’ below), in which case we may delete your personal data sooner.
Our retention periods may be changed in appropriate circumstances, for example we may need to retain your details for longer if there is a dispute in relation to our services. You may contact us for additional information about retention periods.
Please note that personal data that is held on IT back-up data sets for disaster recovery purposes may be retained for a different period. This is because it may not be possible to apply retention periods to individual records without erasing the whole back-up data set. [Back-up data sets are generally retained for up to 2 years for disaster recovery purposes.]
Transferring personal data outside the UK
We do not ordinarily transfer your personal data outside the UK.
Your rights
You have a number of legal rights relating to your personal data, as follows.
- The right to withdraw any consent you have given in relation to the use of your personal data.
- The right to make a subject access request. This enables you to receive certain information about how we use your personal data, as well as to receive a copy of it.
- The right to request that we correct incomplete or inaccurate personal data that we hold about you.
- The right to request that we delete or remove personal data that we hold about you where there is no good reason for us continuing to process it, or where you have withdrawn any consent relating to that processing. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- The right to object to our processing your personal data where: (a) we use it for direct marketing purposes; or (b) where we are relying on our legitimate interest (or those of a third party) as our legal ground. In the case of (b), note that we may continue the processing if we can show a compelling reason to do so.
- The right to request that we restrict our processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- The right to request that we transfer your personal data to you or to another party, in a structured format. This right applies in respect of data that you have provided where our legal ground for using the data is that it is necessary for the performance of a contract or that you have consented to us using it (this is known as the right to “data portability”).
If you would like to exercise any of the above rights, please use contact us via email at reception@gatehousehealth.co.uk or call 01424481869. Note that these rights are not absolute and in some circumstances we may be entitled to refuse some or all of your request.
If you have any questions or concerns about how your personal data is being used by us, you can contact the Data Protection Manager via saskia@gatehousehealth.co.uk