Privacy Policy

  1. Who We Are

Essex Podiatry Clinics Ltd
Company Registration Number: 04696969
Registered Address: 34B New Century Clinic, Laindon, SS15 6AG
Email: admin@essexpodiatryclinics.com

Directors: Clare Westwood-Surridge and Jack Kirby

Essex Podiatry Clinics Ltd is the Data Controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We provide podiatry and foot health services at four clinic locations in Essex: Laindon, Corringham, Rochford, and Maldon. We are registered with the appropriate UK regulatory and professional bodies and are committed to maintaining the confidentiality, integrity, and security of all personal data entrusted to us.

  1. What Information We Collect

We collect and process only the information necessary to provide safe, effective healthcare.

This may include:

Identity Data

  • Full name
  • Date of birth
  • Gender

Contact Data

  • Home address
  • Email address
  • Telephone numbers

Health Data (Special Category Data)

  • Medical history
  • Clinical assessments and treatment notes
  • Referral letters and GP details
  • Diagnostic images (e.g., foot scans or photographs)
  • Medication information
  • Clinical observations

Payment Data

  • Billing information
  • Payment history

Technical Data

  • IP address
  • Browser type and website usage data (if using online booking or our website)

Appointment & Communication Records

  • Appointment schedules
  • Correspondence records
  • Follow-up communications
  1. How We Collect Your Data

We collect personal data in the following ways:

  • Directly from you (via registration forms, consultations, telephone, or email)
  • From your GP or other healthcare professionals (with your knowledge and consent where appropriate)
  • Through our website or online booking platform
  • Through our secure clinic management software, Cliniko
  1. How We Use Your Data

We use your personal data to:

  • Provide podiatry and foot health care services
  • Maintain accurate and contemporaneous medical records
  • Communicate with you regarding appointments and treatment
  • Process payments and issue invoices
  • Comply with regulatory, legal, and professional obligations
  • Undertake clinical audit, quality assurance, and service improvement

We do not sell personal data and we do not share data for marketing purposes.

 

  1. Lawful Basis for Processing

We process personal data in accordance with the UK GDPR and the Data Protection Act 2018.

Article 6 – Lawful Basis

We rely on one or more of the following lawful bases:

  • Performance of a contract – to provide healthcare services requested by you
  • Legal obligation – to comply with regulatory, safeguarding, taxation, and health and safety requirements
  • Legitimate interests – for clinical governance, audit, fraud prevention, and service improvement (where your rights do not override those interests)
  • Consent – where required for specific activities such as marketing communications

Article 9 – Special Category (Health) Data

As we process health data, we rely on:

Article 9(2)(h) UK GDPR

Processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care treatment, or the management of health or social care systems and services.

All health data is processed by qualified healthcare professionals who are bound by professional confidentiality obligations.

  1. How We Store and Secure Your Data

Your data is securely stored using Cliniko, a cloud-based practice management system. Cliniko uses encryption, access controls, and secure infrastructure aligned with ISO 27001 standards.

We maintain:

  • Role-based access controls
  • Password-protected systems
  • Secure clinic premises
  • Locked filing storage where required
  • Staff confidentiality agreements
  • Regular data protection training

International Data Transfers

Cliniko’s servers are located in Australia. Where personal data is transferred outside the United Kingdom, appropriate safeguards are in place, including International Data Transfer Agreements (IDTA) or Standard Contractual Clauses (SCCs), to ensure your data remains protected to UK GDPR standards.

6A. Use of Clinical Documentation Support Software (AI)

Essex Podiatry Clinics Ltd may use secure clinical documentation support software, including Heidi AI note-writing software, to assist clinicians in drafting clinical notes during or following consultations.

This software:

  • Is used solely to assist in clinical documentation
  • Does not independently diagnose, treat, or make clinical decisions
  • Does not replace professional judgement
  • Is always reviewed, verified, and formally signed off by a qualified clinician before being saved to the patient record
  • Operates under a formal Data Processing Agreement to ensure UK GDPR compliance

No automated decision-making or profiling is carried out that produces legal or similarly significant effects for patients under Article 22 UK GDPR.

Clinical responsibility always remains with the treating clinician.

  1. Data Sharing

We only share personal data where necessary and lawful. This may include:

  • Referrals to GPs, consultants, or other healthcare professionals
  • Communication with insurers (with your consent)
  • Regulatory bodies where legally required
  • HMRC or other legal authorities where required by law
  • IT and system providers operating under strict confidentiality agreements

We ensure all third-party processors comply with UK data protection standards.

  1. How Long We Keep Your Data

We retain medical records in accordance with NHS and professional guidance:

  • Adult records: Minimum of 8 years after last treatment
  • Children’s records: Until the patient’s 25th birthday or 8 years after last treatment (whichever is longer)

After the retention period, records are securely deleted or anonymised.

Financial records are retained in line with statutory accounting requirements.

  1. Your Data Protection Rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Request erasure of your data (where legally applicable)
  • Object to or restrict processing
  • Data portability (where applicable)
  • Withdraw consent (where processing is based on consent)
  • Lodge a complaint with the Information Commissioner’s Office (ICO)

To exercise your rights, please contact:
admin@essexpodiatryclinics.com

You also have the right to complain to the Information Commissioner’s Office at www.ico.org.uk.

  1. Cookies and Website Use

If you visit our website, anonymised analytics data may be collected via cookies to improve user experience.

You can control cookie preferences through your browser settings.

We do not use cookies for advertising, profiling, or behavioural marketing.

  1. Updates to This Policy

This Privacy Policy is reviewed at least annually and updated as required to reflect changes in legislation, regulatory guidance, technology, or the services we provide.

Where significant changes are made, the updated version will be published on our website and made available within our clinics.

The most current version of this policy will always be available upon request.

  1. Contact Details

If you have questions about how your data is handled, please contact:

Data Protection Lead
Essex Podiatry Clinics Ltd
34B New Century Clinic
Laindon
SS15 6AG
Email: admin@essexpodiatryclinics.com