Privacy Policy – Data Storage and Processing Information

Who we are

The Rochester Private Clinic is owned and operated by College Health Ltd. The Rochester Private Clinic provides Private GP services and healthcare for the whole family, from our practice premises in Strood, Rochester Kent, UK.

This policy explains the what, how, and why of the information we collect when you visit our website, or when you use our Services. It also explains the specific ways we use and disclose that information.

We want you to have confidence in our services; we take your privacy extremely seriously, and we never sell lists or email addresses.

Contact Us

We are required by law to provide you with the following information about how we handle your information.

Data Controller & Data Protection Officer: Mrs Sharon Hogarth (enquiries@rochesterprivateclinic.co.uk)

Full practice contact information can be found in the footer of our website home page. If you have a specific question regarding our privacy policy, or data held by us, please contact the practice:

Email: enquiries@rochesterprivateclinic.co.uk
Phone: 01634 731601
Physical Mail: The Rochester Suite, Vicarage Road,Strood, Rochester, Kent, ME2 4DG

How we process your information to provide you with healthcare:

This practice keeps medical records confidential and complies with the General Data Protection Regulation. We hold your medical record so that we can provide you with safe care and treatment. 

We will also use your information so that we can check and review the quality of the care we provide. This helps us to improve our services to you.

  • We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital. Or your GP will send details about your prescription to your chosen pharmacy. We also update your NHS GP following use of our private medical services, for your benefit, to ensure that your NHS individual and summary care records are up to date. For more information see:  https://digital.nhs.uk/summary-care-records. All patients receiving NHS care will be registered on a national database. The Rochester Private Clinic do not access this database at present.

  • You have the right to object to information being shared for your own care. Please speak to the practice if you wish to object. You also have the right to have any mistakes or errors corrected. 

Lawful Basis for Processing:

These purposes are supported under the following sections of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”  

Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

Recipients of Data:

Data will be shared with: 

  • healthcare professionals and staff in this surgery;

  • you NHS GP

  • local hospitals;

  • out of hours services; 

  • diagnostic and treatment centres; 

  • or other organisations involved in the provision of direct care to individual patients. 

  • Semble Patient Medical Record System (see below)

Data we receive from other organisations:

We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation, the hospital may send us a letter to let us know what happens. This means your medical record is kept up-to date when you receive care from other parts of the health service. In turn, we will keep your NHS GP up to date.

Identifying Patients Who Might be at Risk of Certain Diseases:

  • Your medical records might be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. This is standard practice within the NHS, but less common in private practice, at present.

  • This process may involve linking information from your GP record with information from other health or social care services you have used. 

  • This means we can offer patients additional care or support as early as possible. Information which identifies you will only be seen by this practice.

How We Protect your Personal Data

We use a number of web and software based tools to provide our services to you. For each application, we will detail what data we collect and how it is stored:

Cookies & Our Website

Cookies are small text files that are used to store small pieces of information. They are stored on your device when the website is loaded on your browser. These cookies help us make the website function properly, make it more secure, provide better user experience, and understand how the website performs and to analyze what works and where it needs improvement.

Similar to most online services, our website uses first-party and third-party cookies for several purposes. First-party cookies are mostly necessary for the website to function the right way, and they do not collect any of your personally identifiable data. The third-party cookies used on our website are mainly for understanding how the website performs, how you interact with our website, keeping our services secure, providing content that is relevant to you, and all in all providing you with a tailored experience whilst also helping to speed up your future visits to our website.

We store cookie data for 2 years. You can change your cookie preferences at any time.

Telephone and Answering Service

All calls to The Rochester Private Clinic may be recorded for quality assurance and audit purposes.

We use an internet ‘cloud-based’ phone system which will record the date, time and your caller ID phone number, where your phone shares this, in a call log. Call recordings, and any voicemail messages left for The Rochester Private Clinic, will be stored on a UK computer server. All cloud-phone system data is retained for up to a maximum of 3 years, dependent on storage capacity available.

Voicemail messages will be stored as audio files on our cloud-phone server. In addition, they will be auto-transcribed by the server and emailed as a text and sound file, securely, to our duty administration team. These files will be kept securely on our email servers until they are no longer required and are deleted, as per our email policy.

Communication Systems

Our email and web servers are located in secure data centres. Emails are sent and received in a secure, encrypted format.

Phone calls, emails and SMS messages may sent in relation to your bookings, referrals and test results at The Rochester Private Clinic. By using our services, implicit agreement for healthcare service related communications is understood.


Payment Systems

All payments are processed through a secure third-party payment processing company. The Rochester Private Clinic do not collect or retain payment information; this is all handled though the dedicated payment companies, for your security. Our Semble booking system integrates with Stripe payment system, while additional fees may be charged through Square payment system. Both systems keep your data encrypted and use industry-leading security tools.

The Rochester Private Clinic’s bank account and accounting software may also record your payment transaction details.

Clinical Electronic Patient Record System

We are a paperless practice and use a UK based digital medical records system, delivered by Semble.io . This is a market-leading cloud-based electronic record used by many private medical clinics. No health record data is stored on The Rochester Private Clinic computers, ensuring the highest levels of security for your information.

All personal medical information held by The Rochester Private Clinic will be stored within your personal record file on our Semble system. Semble acts as our data processor, while The Rochester Private Clinic is the data controller.

Semble data is physically stored on servers which have achieved the highest level of security certification, as used by banks and government services. Servers are located in London, United Kingdom. Only a very limited number of authorised staff from Semble can access these servers.

In addition to medical records storage, Semble also provides our booking system and a secure patient portal where we can share information with you in a secure way. This portal can also be used to share referral information with external healthcare providers in a secure way.

Content on this site may include embedded content (e.g. booking system). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content in order to provide a service to you.

Semble provides a detailed overview of its own security and data handling information, including relating to GDPR laws (UK General Data Protection Regulations). Access this here.


Paper Records

For the most part, we will not keep any paper medical records and any clinical paperwork received will be scanned and uploaded to patient electronic medical records. Paperwork will then be disposed of, and recycled where possible, via a secure business waste third-party company.

Who do we share your clinical information or data with?

All consultation outcomes will be shared with your registered NHS GP; this is good practice and keeps your NHS record accurate and up to date. Information will also be shared with referring medical teams, or teams we make referrals to on your behalf; these will be discussed with you as part of your medical care at The Rochester Private Clinic.

Is my medical information kept confidential at all times?

The Rochester Private Clinic keeps medical records confidential and complies with the General Data Protection Regulation. In addition to our clinical team, managers and administrators will need occasional access to your records in order to assist the clinical team actioning your care plan, for example by managing referrals, processing test requests and results, etc.

Safeguarding

  • Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm. 

  • These circumstances are rare, but we do not need your consent or agreement to do this. 

  • Our local policy can be provided upon request.

Medical practitioners have a duty to disclose confidential information to third parties, including local authority or statutory bodies, when there are significant concerns that there may be risk to you or someone else. Where appropriate, this will be explained to those involved at the time. This requirement is standard across all UK healthcare settings, for patient and public safety.

Information may be disclosed to regulators, authorities or enforcement Agencies if we are under a duty to share personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of our clients or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

Where and how long do you keep my data?

Medical Information: GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found in the Records Management Code of Practice for Health and Social Care 2021: https://transform.england.nhs.uk/information-governance/guidance/records-management-code/ .

Website cookie data is retained for 2 years. The data is stored on our web-server, your devices and also

Voicemail & Phone recordings – all recordings and transcripts will be deleted after a maximum of 3 years, and often much sooner.

What are my rights under data protection laws?

You have various rights under applicable data protection laws. Please keep in mind that privacy law is complicated, and these rights will not always be available to you all of the time, especially in relation to medical records.

Our practice has a requirement and responsibility to maintain your health record. Healthcare regulation requirements often take precedence over the rules included within GDPR (General Data Protection Regulations).

Rights include:

  • access your personal data (also known as a “subject access request”) and correct incomplete or inaccurate data we hold about you:

    • You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our ‘subject access request’ policy on the practice website – insert link.

    • We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

  • object to how we are using your personal data;

    • You have the right to object to information being shared between those who are providing you with direct care. 

    • This may affect the care you receive – please speak to the practice. 

    • You are not able to object to your name, address and other demographic information being sent to Semble.

    • This is necessary if you wish to be registered to receive private medical care.

    • You are not able to object when information is legitimately shared for safeguarding reasons. 

    • In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm. The information will be shared with the local safeguarding service.

  • withdraw your consent to us handling your personal data.

You also have the right to lodge a complaint with us or the Information Commissioner’s Office, the supervisory authority for data protection issues in England and Wales. ICO Contact: https://ico.org.uk/global/contact-us/ or call the helpline 0303 123 1113



Useful external information:

1. Information Commissioner’s Office – Right to Erasure
2. MDU – GDPR: Data Subject’s Rights (Medical Records)

How your information is shared so that this practice can meet legal requirements:

The law requires The Rochester Private Clinic to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:

  • plan and manage services;

  • check that the care being provided is safe;

  • prevent infectious diseases from spreading.  

  • NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.

We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so. We must also share your information if a court of law orders us to do so.

NHS Digital

  • It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.

  • This practice must comply with the law and may send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.

  • More information about NHS Digital and how it uses information can be found at: NHS Digital Home

Care Quality Commission (CQC)

  • The CQC regulates health and social care services to ensure that safe care is provided. 

  • The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk. 

Public Health

  • The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.