Privacy Policy

This Privacy Policy sets out details of the information that St Judes may collect from you and how that information may be used. Please take your time to read this carefully.  This Privacy Policy:

  • provides you with a detailed overview of how we will manage your data, from the point at which it is gathered and onwards.
  • will give you all the details you need on how we use your information, and how we will comply with the law in doing so. We may also, with your specific agreement, contact you with marketing materials.
  • sets out your rights in respect of your personal information, and how to exercise them. You can, for instance, seek access to your medical information, object to us using your information in particular ways and request rectification of any information which is inaccurate.

About us - In this Privacy Policy we use "we" or "us" or "our" or "St Judes" to refer to St Judes Clinic using your personal information, and the clinicians who provide your treatment.

How to contact us - The Data Protection Officer ("DPO") helps ensure that St Judes comply with data protection law and can be contacted by:

  • Telephone: 01525 377751
  • Email: moira@stjudesclinic.com
  • Post: Data Protection Officer, St Judes Clinic, 26 Lake Street, Leighton Buzzard, Beds LU7 1RX.

If you would like further information about any of the matters in this Privacy Policy or have any other questions about how we collect, store or use your personal information, please contact the DPO using the details above.

What personal information do we collect and use from patients? We may use “special categories of personal information” (otherwise known as "special categories of data") about you, such as information relating to your physical and mental health. For example, if you are a patient we will need to use information about your health in order to treat you.

If you provide personal information to us about other individuals (including medical or financial information) you should inform the individual about the contents of this Privacy Policy. We will process such information in accordance with this Privacy Policy.  In addition, you should note that in the event you amend data which we already hold about you (for instance by amending a pre-populated form) then we will update our systems to reflect the amendments. Our systems will continue to store historical data.  The personal information we hold about you may include the following:

  • Name
  • Contact details, such as postal address, email address and telephone number (including mobile number)
  • Financial information
  • Occupation
  • Emergency contact details, including next of kin
  • Background referral details
  • Details of your current or former physical or mental health. This may include information about any healthcare you have received (both from St Judes directly and other healthcare providers such as GPs, dentists or hospitals (private and/or NHS. 

The confidentiality of your medical information is important to St Judes. We make every effort to prevent unauthorised access to and use of information relating to your current or former health. In doing so, St Judes complies with UK data protection law and from 25 May 2018, the current Data Protection Act will be replaced by the EU General Data Protection Regulation (GDPR) and a new Data Protection Act is pending. St Judes will comply with the GDPR and the new Data Protection Act from that date onwards.

CCTV and Audio recording - This practice is dedicated to the improvement of clinical and customer care. We digitally record images and audio to assist with staff training and for the safety of clients and staff and the monitoring of the security of premises.

How do we collect your information?  We may collect personal information from a number of different sources including, but not limited to:

  • GPs
  • Other hospitals, both NHS and private
  • Clinicians (including their administrators)

Directly from you - Information may be collected directly from you when: 

  • You enter into a contract with St Judes for the provision of healthcare services
  • You use those services
  • You complete enquiry forms on the St Judes website
  • You submit a query to us including through our website, by email or by social media
  • You correspond with us by letter, email, telephone or social media, including where you reference St Judes in a public social media post
  • You take part in our marketing activities

From third parties - As detailed in the previous section, it is often necessary to seek information from other healthcare organisations. We may also collect information about you from third parties when:

  • You are referred to us for treatment.
  • We liaise with your current or former health professional or other treatment or benefit provider
  • We liaise with your family
  • We liaise with your insurance policy provider
  • We liaise with anyone else that you give permission for us to contact eg gym instructor, person trainer etc.

How will we communicate with you?  In order to communicate with you, we are likely to do this by telephone, SMS, email, and/or post. If we contact you using the telephone number(s) which you have provided (landline and/or mobile), and you are not available which results in the call being directed to a voicemail and/or answering service, we may leave a voice message on your voicemail and/or answering service as appropriate.

To ensure that we provide you with timely updates and reminders in relation to your healthcare (including basic administration information and appointment information (including reminders)), we may communicate with you by SMS/email (where you have provided us with your email address) in each case where you have expressed a preference in the Patient Data Consent Form to be contacted by SMS/email. 

To provide you with your medical information/invoicing information, we may communicate with you by email where you have provided us with your email address (and have expressed a preference in the Patient Data Consent Form to be contacted by email.)

If we have your mobile number or your email address we may use this method of communication to contact you regarding patient surveys which are for the purpose of improving our service or monitoring outcomes and are not a form of marketing.

Please note that although providing your mobile number and email address and stating a preference to be communicated by a particular method will be taken as an affirmative confirmation that you are happy for us to contact you in that manner, we are not relying on your consent to process your personal data in order to correspond with you about your treatment. As set out further below, processing your personal data for those purposes is justified on the basis that it is necessary to provide you with healthcare services.

Surveys - As detailed above, we may contact you to ask you to participate in surveys regarding your treatment at St Judes. The surveys will usually be sent by email and are used to gather information relating to your experience of St Judes.  It is necessary for us to process your personal data in order to contact you with these surveys, on the basis of our appropriate business needs and to improve the quality of the healthcare services we offer. Participation in the surveys is entirely voluntary.

In addition, we may also contact you to invite you to participate in surveys which aim to monitor the outcomes of your treatment. These surveys are not a form of marketing and they are sometimes called Patient Reported Outcome Measures (“PROMs”) and information from these may be shared with your private insurer as mentioned previously. If you choose to complete a PROMs survey you will also receive subsequent surveys following your treatment to help establish the benefit you have gained from treatment.  Currently for BUPA patients, these PROMs are obligatory.

What are the purposes for which your information is used? We may 'process' your information for a number of different purposes, which is essentially the language used by the law to mean using your data. Each time we use your data we must have a legal justification to do so. The particular justification will depend on the purpose of the proposed use of your data. When the information that we process is classed as “special category of personal information”, we must have a specific additional legal justification in order to use it as proposed.  Generally, we will rely on the following legal justifications, or 'grounds':

  • Taking steps at your request so that you can enter into a contract with St Judes to receive healthcare services from us.
  • For the purposes of providing you with healthcare pursuant to a contract between you and St Judes.
  • We have an appropriate business need to process your personal information and such business need does not cause harm to you. We will rely on this for activities such as quality assurance, maintaining our business records, developing and improving our products and services and monitoring outcomes.
  • We have a legal or regulatory obligation to use such personal information.
  • We need to use such personal information to establish, exercise or defend our legal rights.
  • You have provided your consent to our use of your personal information.

Note that failure to provide your information further to a contractual requirement with us may mean that we are unable to set you up as a patient or facilitate the provision of your healthcare on St Judes’ systems.  We provide further detail on these grounds in the sections below.

Appropriate business needs - One legal ground for processing personal data is where we do this in pursuit of legitimate interests and those interests are not overridden by your privacy rights. Where we refer to use for our appropriate business needs, we are relying on this legal ground.  Special categories of personal information include information about your health.

Purpose - to provide you with healthcare and related services.  The reason you come to us is to provide you with healthcare, and so we have to use your personal information for that. 

  • Legal grounds: Providing you with healthcare and related services.

Additional legal grounds for special categories of personal information:

  • We need to use the data in order to provide healthcare services to you.  The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent.

Purpose - account settlement.  We will use your personal information in order to ensure that your account and billing is fully accurate and up-to-date. 

  • Legal grounds: our providing you healthcare and other related services
  • Fulfilling our contract with you for the delivery of healthcare
  • Our having an appropriate business need to use your information which does not overly prejudice you

Additional legal grounds for special categories of personal information:

  • We need to use the data in order to provide healthcare services to you. 
  • The use is necessary in order for us to establish, exercise or defend our legal rights.

Purpose – clinical audit.  St Judes may process your personal data for the purposes of local clinical audit – ie an audit carried by St Judes for the purposes of assessing outcomes for patients and identifying improvements which could be made for the future. We are able to do so on the basis of a legitimate interest and the public interest in statistical and scientific research, and with appropriate safeguards in place. You are, however, entitled to object to us using your personal data for this purpose, and as a result of which we would need to stop doing so. If you would like to raise such an objection then please contact our Data Protection Officer using the details provided at the top of the page. 

  • Legal grounds: we have a legitimate interest in helping with clinical audit and have put appropriate safeguards in place to protect your privacy.

Additional legal grounds for special categories of personal information:

  • The processing is necessary in the public interest for statistical and scientific research purposes.

Purpose - communicating with other healthcare professionals.  Other healthcare professionals or organisations may need to know about your treatment in order for them to provide you with safe and effective care, and so we may need to share your personal information with them. Further details on the third parties who may need access to your information is set out below.

  • Legal grounds: our providing you with healthcare and other related services.
  • We have a legitimate interest in ensuring that other healthcare professionals who are routinely involved in your care have a full picture of your treatment.

Additional legal ground for special categories of personal information:

  • We need to use the data in order to provide healthcare services to you
  • The use is necessary for reasons of substantial public interest under UK law
  • The use is necessary in order for us to establish, exercise or defend our legal rights

Purpose - complying with our legal or regulatory obligations and defending or exercising our legal rights.  As a provider of healthcare, we are subject to a wide range of legal and regulatory responsibilities which is not possible to list fully here. We may be required by law or by regulators to provide personal information, and in which case we will have a legal responsibility to do so. If a complaint is ever raised against St Judes or its clinicians, we may have to access your personal information to fully investigate and respond to any allegations.  Your information is only accessed for what is necessary and relevant to the subject matter.

  • Legal grounds: the use is necessary in order for us to comply with our legal obligations

Additional legal ground for special categories of personal information:

  • We need to use the data in order for others to provide informed healthcare services to you
  • The use is necessary for reasons of the provision of health or social care or treatment or the management of health or social care systems
  • The use is necessary for establishing, exercising or defending legal claims

Purpose - providing improved quality, training and security including conducting post treatment surveys.  St Judes is a quality-conscious organisation, and always looking to learn from patients’ experiences in order to improve the experience for future patients. With that in mind, we will use your personal information to identify where such improvements can be made, such as reviewing patient surveys to assess whether anything can be learnt and contacting you to seek your valuable thoughts on the St Judes experience.

  • Legal grounds: our having an appropriate business need to use your information which does not overly prejudice you.

 Additional legal ground for special categories of personal information:

  • We need to use the data in order to manage the healthcare services we deliver, including carrying out surveys in order to identify and carry out any necessary improvements.

Purpose - managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (eg tax or legal advice)

In order to do this, we will not need to use your special categories of personal information and so we have not identified the additional ground to use your information for this purpose.

  • Legal grounds: our having an appropriate business need to use your information which does not overly prejudice you.

Purpose - provide marketing information to you in accordance with preferences you have expressed in the Patient Data Consent Form.  As a business, we need to carry out marketing but we are mindful of your rights and expectations in that regard. As a result, we will only provide you with marketing which is relevant to our business and only where you have specifically confirmed your consent to do so.

  • Legal grounds: our having an appropriate business need to use your information which does not overly prejudice you.
  • You have provided your consent.

Who do we share your information with?  From time to time, we may share your personal information to the third parties listed below for the purposes described in this Privacy Policy. This might include:

  • A doctor, nurse, carer or any other healthcare professional involved in your treatment
  • Other members of support staff involved in the delivery of your care, eg administrators
  • Anyone that you ask us to communicate with or provide as an emergency contact, for example your next of kin or carer
  • Other private sector healthcare providers
  • Your GP or dentist
  • Your clinician (including their administrators)
  • Our third-party services providers such as IT suppliers, actuaries, auditors, lawyers, marketing agencies, document management providers and tax advisers

We may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone.

What marketing activities do we carry out?  We may also use your personal information to provide you with information about products or services which may be of interest to you where you have provided your consent for us to do so.  If you no longer wish to receive marketing emails sent by us, you can click on the "unsubscribe" link that appears in all of our emails, otherwise you can always contact us using the details set out at the top of the page to update your contact preferences.

How long do we keep personal information for?  We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Policy and in order to comply with our legal and regulatory obligations.  Further information is available in our Records Management Policy upon request to the DPO at St Judes.

Medical notes: We collect data from you to meet certain requirements regarding your medical notes. There is a legal requirement to keep medical notes for a period of time after treatment. This can vary in length depending upon your age and ability to consent but will be for a minimum of 8 years. We may keep your notes for longer than this minimum period if it is deemed necessary to do so. Your notes will then be securely destroyed. Please note that your right to be forgotten cannot override the legal requirement to keep medical records for this mandatory period. Your health records and data are held securely and in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act.

Your rights - Under data protection law you have certain rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us using the details set out above at the top of the page.

There are some special rules about how these rights apply to health information as set out in legislation including the Data Protection Act (current and future), the General Data Protection Regulation as well as any secondary legislation which regulates the use of personal information.

Subject Access Request (SAR): The Data Protection Act 1998 (DPA) gives individuals the right to view the information stored on them by making a written ‘subject access request’ (SAR).This written request should be emailed to: admin@stjudesclinic.com and marked “Subject Access Request.” You will be asked to provide evidence of your identity and once received St Judes Clinic will respond within 30 days to your request.  There will not usually be a charge for sending records electronically unless your notes are particularly lengthy or time consuming to extract, in which case we will speak to you about this beforehand.  If you are requesting the personal information of another individual person on their behalf, you will be required to provide us with satisfactory proof that you have the individual’s authority to act on their behalf.

Your rights include: 

The right to access your personal information - You are usually entitled to a copy of the personal information we hold about you and details about how we use it. Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (eg by email) the information will be provided to you by electronic means where possible. You are entitled to the following under data protection law - Under Article 15(1) of the GDPR we must usually confirm whether we have personal information about you. If we do hold personal information about you we usually need to explain to you:

  • The purposes for which we use your personal information. 
  • The types of personal information we hold about you.
  • Who your personal information has been or will be shared with, including in particular organisations based outside the EEA.
  • If your personal information leaves the EU, how we make sure that it is protected
  • Where possible, the length of time we expect to hold your personal information.  If that is not possible, the criteria we use to determine how long we hold your information for.
  • If the personal data we hold about you was not provided by you, details of the source of the information.
  • Your right to ask us to amend or delete your personal information.
  • Your right to ask us to restrict how your personal information is used or to object to our use of your personal information.
  • Your right to complain to the Information Commissioner's Office

We also need to provide you with a copy of your personal data.

The right to rectification - We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.

The right to erasure (also known as the right to be forgotten) - We may update this Privacy Policy from time to time to ensure that it remains accurate.  In the event that there are any material changes to the manner in which your personal information is to be used then we will provide you with an updated copy of this Privacy Policy.

You have the right to request that we delete the personal information we hold about you. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.  In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

The right to restriction of processing - In some circumstances, we must "pause" our use of your personal data if you ask us to. We do not have to comply with all requests to restrict our use of your personal information. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

The right to data portability - In some circumstances, we must transfer personal information that you have provided to us to you or (if this is technically feasible another individual/organisation of your choice.) The information must be transferred in an electronic format.  (ie email follow-up letter to Consultant when sending a copy to a patient.)

The right to object to marketing - You can ask us to stop sending you marketing messages at any time and we must comply with your request. You can do this by contacting the DPO or by clicking the unsubscribe link at the bottom of any marketing communications.

The right to withdraw consent - In some cases we need your consent in order for our use of your personal information to comply with data protection legislation.

We have explained in the section entitled "What are the purposes for which your information is used?" where we rely on your consent in this way. Where we do this, you have the right to withdraw your consent to further use of your personal information. You can do this by contacting St Judes’ DPO whose details at the top of the page.

The right to complain to the Information Commissioner's Office - You can complain to the Information Commissioner's Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations.  More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/  Making a complaint will not affect any other legal rights that you have.

This Privacy Policy was last updated in September 2022.