Legal

Privacy Policy

How we collect, use, and protect your personal and health data in accordance with UK GDPR and the Data Protection Act 2018.

Last updated: [LAST_UPDATED_DATE]

1. Who we are

Elstree Private Urgent Care is operated by Centennial Urgent Care Ltd, a company registered in England and Wales (company number 17110961), with a registered office at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ. Our clinic operates from Centennial Park, Centennial Avenue, Elstree, Borehamwood, WD6 3FG.

Centennial Urgent Care Ltd is the data controllerfor personal data collected through this website and during your care at the clinic. We are registered with the Information Commissioner’s Office (registration number [ICO_REG_NUMBER_TBC]).

For any privacy-related questions, contact our Data Protection Officer at [DPO_EMAIL_TBC].

2. Personal data we collect

Depending on how you interact with us, we may collect:

  • Website contact forms & enquiries: name, email, phone number, and the content of your message.
  • Bookings and appointments: name, date of birth, contact details, reason for visit, insurance details (where applicable).
  • Clinical consultations: medical history, symptoms, examination findings, test results (X-ray, blood tests, ECG), diagnoses, treatments, prescriptions, and referrals.
  • Payment information: processed by our payment provider — we do not store full card details on our systems.
  • Website usage: IP address, browser type, pages visited (via analytics cookies — see section 8).

3. Special category (health) data

Information about your physical or mental health is classified as “special category data” under Article 9 of the UK GDPR and warrants additional protection.

We process health data on the following lawful bases:

  • Article 9(2)(a) UK GDPR — explicit consent: you give explicit consent when you book an appointment or attend for treatment.
  • Article 9(2)(h) UK GDPR — provision of health or social care: processing is necessary for medical diagnosis, the provision of health or social care, and the management of health-care systems, carried out by health professionals under a duty of confidentiality.
  • Article 6(1)(b) UK GDPR — performance of a contract: to deliver the care you have requested.
  • Article 6(1)(c) UK GDPR — legal obligation: statutory reporting requirements (e.g. notifiable diseases, safeguarding).
  • Article 6(1)(f) UK GDPR — legitimate interests: running our clinic safely and efficiently, where this does not override your rights.

All clinicians and staff handling health data are bound by a common-law duty of confidentiality and by professional codes of conduct (e.g. GMC, NMC).

4. How we use your data

  • To respond to enquiries and manage appointments.
  • To provide medical assessment, diagnostics, treatment, and follow-up care.
  • To arrange specialist referrals (with your consent) to consultants at Centennial Medical Care or elsewhere.
  • To process payments and issue receipts for insurance claims.
  • To maintain accurate medical records as required by professional and regulatory standards.
  • To meet legal and regulatory obligations (e.g. Care Quality Commission inspections, NHS Digital safeguarding, statutory disease notifications).
  • To improve our services (anonymised or aggregated data only).

5. Retention periods

We retain your data for the following periods, consistent with NHS record-keeping guidance and professional requirements:

  • Adult medical records: 8 years from the date of last contact.
  • Children’s medical records: until the patient’s 25th birthday (or 26th if the entry was made when the patient was 17).
  • Maternity records: 25 years after the birth of the last child.
  • Enquiry and contact form data: up to 24 months, then deleted.
  • Financial records: 7 years (HMRC requirement).
  • Website analytics: aggregated and anonymised after 14 months.

6. Who we share your data with

We only share your data where necessary and with appropriate safeguards in place. Parties we may share with include:

  • Centennial Medical Care and its consultants — for specialist referrals and continuity of care.
  • Your NHS GP — with your consent, to ensure continuity of care.
  • Your private medical insurer — where you have asked us to bill them directly.
  • Diagnostic laboratories and imaging providers — where tests are sent off-site.
  • Regulators and authorities — the Care Quality Commission, NHS England, Public Health England, and law enforcement where legally required.

We do not sell your personal data, and we do not share it for marketing purposes.

7. Third-party processors

We use carefully selected suppliers (“data processors”) who act on our instructions and under written contracts that include UK GDPR-compliant clauses. These include:

  • Semble — clinical management and online booking platform (health data processor).
  • Resend (or equivalent email service) — transactional email delivery.
  • Google Analytics — website usage analytics (if enabled — see cookie notice).
  • Vercel — website hosting.
  • A UK-based payment processor — to process card payments securely.

Where any processor is based outside the UK/EEA, we rely on UK International Data Transfer Agreements, the UK Addendum to the EU Standard Contractual Clauses, or adequacy decisions to safeguard your data.

8. Cookies and website analytics

Our website uses strictly necessary cookies to function. We may also use analytics cookies (e.g. Google Analytics) to understand how visitors use the site — these are only set with your consent, which you can give, refuse, or withdraw via our cookie banner.

9. Your rights

Under UK GDPR, you have the right to:

  • Access a copy of the personal data we hold about you (Subject Access Request).
  • Rectification of inaccurate or incomplete personal data.
  • Erasure (“right to be forgotten”) — subject to legal and clinical retention obligations.
  • Restriction of processing in certain circumstances.
  • Portability — to receive your data in a structured, machine-readable format.
  • Object to processing based on our legitimate interests.
  • Withdraw consent at any time, where processing is based on consent.
  • Not be subject to purely automated decision-making that has legal or significant effects on you.

To exercise any of these rights, please contact our Data Protection Officer at [DPO_EMAIL_TBC]. We will respond within one month.

10. Security

We use appropriate technical and organisational measures to protect your data, including encryption in transit and at rest, role-based access, audit logging, staff training, and regular security reviews. Clinical systems are accessed only by authorised personnel.

11. Complaints

If you are unhappy with how we have handled your personal data, please first contact our Data Protection Officer at [DPO_EMAIL_TBC] so we can try to resolve your concern.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

  • Website: ico.org.uk/make-a-complaint
  • Helpline: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

12. Changes to this policy

We review this policy regularly. The current version and its last-updated date will always appear at the top of this page. Material changes will be highlighted on our website homepage.

BookCallDirections