Hever Health Limited: GDPR Privacy Notice
At Hever Health, we take the handling of your personal data seriously. This notice explains why we collect your information and exactly what we do with it.
When you supply your personal details to this clinic, they are stored and processed for the following reasons.
Why We Collect Your Data
1. To Provide You With Treatment
We need to collect personal information about your health in order to provide you with the best possible care. Your requesting treatment and our agreement to provide that care constitutes a contract between us. You may, of course, decline to provide this information, but without it we would not be able to treat you safely or effectively.
2. Legitimate Interest
We have a legitimate interest in collecting your information because without it we could not do our job safely or to the standard you deserve. We also believe it is important that we can contact you to confirm appointments or update you on matters related to your care. This too falls under legitimate interest, in this case yours as a patient.
3. General Health Communications
Provided we have your consent, we may occasionally send you general health information in the form of articles, advice or newsletters. You may withdraw this consent at any time by contacting us through any convenient method.
How Long We Keep Your Records
We have a legal obligation to retain your records for eight years following your most recent appointment, or until the age of 25 if that period is longer. After this time has elapsed, you may ask us to delete your records. Otherwise, we will retain them indefinitely so that we can provide you with the best possible care should you return to us in future.
How Your Records Are Stored
Your records are held in two ways:
Cloud storage: We use a specialist medical records service to store your data electronically. This provider has confirmed full compliance with the General Data Protection Regulation. Access is password protected, with passwords updated regularly.
On-site computers: Our office computers are password protected, backed up regularly, and the premises are locked and alarmed outside working hours.
Who Has Access to Your Data
We will never share your data with anyone who does not need access to it, and we will never do so without your written consent. The following people and agencies have routine access only:
- The medical records service responsible for storing and processing our files
- Your practitioner, so they can provide your treatment
- Our reception staff, who manage appointments and reminders but do not have access to your medical history or sensitive personal information
- Administrative staff such as our bookkeeper, who access only essential contact details and never your medical notes
From time to time we may engage consultants whose work could bring them into contact with your personal data, though not your medical notes. We will ensure they understand their obligation to treat that information as confidential, and we will require them to sign a non-disclosure agreement.
Your Rights
You have the right to see the personal data we hold about you. You may also ask us to correct any factual errors. Provided the legal minimum retention period has elapsed, you may request that we erase your records entirely.
We are committed to handling your personal data responsibly and to ensuring that access is limited only to those with a genuine need.
How to Make a Complaint
If you feel that we are mishandling your personal data in any way, you have the right to complain to our Data Controller. Please contact us directly in the first instance using the details on our contact page.
You also have the right to raise a concern with the Information Commissioner’s Office (ICO) at ico.org.uk if you are not satisfied with our response.