Privacy Policy

Why are we processing your data?

Under the GDPR, our legal basis for the initial processing of your data is as follows;

Article 6 (1) (f): ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’, and

Article 9 (h): ‘processing necessary for …………the provision of health or social care or treatment of health or social care systems…..’

Our legitimate interests are that as a part of a contract with you to provide medical services, we give you advice and treatment in support of your health and well-being.

Under common law, we will seek your consent before the release of your personal data to a third party.

What kinds of information do we process?

As part of our medical practice provision we process:-

  • Private GP records
  • Lifestyle health screening records
  • Counselling referrals records
  • Physiotherapy referrals records
  • Vaccinations records
  • Appointment records
  • Equipment calibration records
  • Clinical audit records
  • Medical equipment use records
  • Complaints records

Will we share your data with anyone?

We only share your data if it is absolutely necessary for providing you with the medical service agreed with you. To provide the service your data may be shared with your GP or other healthcare practitioners to meet your health requirements. In addition, periodically, your anonymised data may be shared with statutory bodies in order to undertake clinical audits that ensure we continually improve our clinical standards.

We only work with trusted suppliers who have agreed to the terms of our Data Processor Agreement, to treat your information as respectfully as we do, and in accordance with the requirements of the General Data Protection Regulation. Your data will only ever be processed within the United Kingdom. Suppliers may include organisations providing counselling, physiotherapy or blood screening services, for example.

How long will we keep your data for?

At BHSF Medical Practice, we store your data in line with regulatory and contractual requirements. Different types of health data must be retained for different periods of times due to regulatory requirements and potential for litigation. For example, health surveillance data will be kept for up to 40 years in compliance with the Care of Substances Hazardous to Health Regs. 2002. We are committed to storing all your data securely for the full duration of its retention. We are committed to storing all your data securely for the full duration of its retention. We will take appropriate technical and organisational security measures to safeguard information.

Will we use your data to make automated decisions?


Do you have to agree to us processing your data?

As a provider of health services we can legitimately process your data under clause 6(f) and 9(h) of the GDPR without requiring your consent. This processing does not include the release of all or any part of your personal data and your explicit consent will always be sought for this.