The GDPR applies to ‘personal data’. This means data which relates to a living individual who can be identified from this data, or from other information which is in the possession of, or is likely to come into the possession of, the data controller.
data includes, for example: name, NHS Number, or a computer IP address. ‘Personal
data’ which reveal the health status of an individual is termed ‘special category’ data
under the GDPR. This includes
computerised and paper records.
Asking for a patient’s consent to disclose their personal data (information) shows respect and is part of good communication between doctors and patients. Consent may be explicit or implied:
- Explicit (also known as express) consent is given when a patient actively agrees, either orally or in writing, to the use or disclosure of information.
- Implied consent refers to circumstances in which it
would be reasonable to infer that the patient agrees to the use of the
information, even though this
This is a Privacy Notice, also known as a Fair Processing Notice.
It should not be confused with the Website Privacy Statement (see below), which concerns the use of this website.
This notice describes how the Cotswold Diagnostic Clinic uses and manages the personal data it holds about its patients, including how the personal data may be shared with NHS or non-NHS organisations, and how the confidentiality of a patient's personal data is maintained.
The Cotswold Diagnostic Clinic holds personal data about its patients for the purposes of providing them with appropriate care and treatment.
Diagnostic Clinic keeps records about the diagnostic tests and treatment it
provides to its patients. This helps to
ensure that patients receive the best possible care from the Cotswold
The lawful basis for
collecting your personal data
The GDPR creates a lawful basis for processing ‘special category’ health data when it
is for the provision of direct care that does not require explicit consent, (see consent definition at the top of the page).
The lawful basis for processing personal data
GDPR Article 6 (1) (f): ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’
The 'special category' basis for processing personal data as a private practitioner
GDPR Article 9 (2) (h): ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment.’
The common law duty of confidentiality
Implied consent is valid to share confidential health data for the provision of direct care; i.e. when a patient agrees to a referral from one healthcare professional to another, and this implies their consent for sharing relevant information to support the referral (unless the patient objects). The referral information can then be disclosed under GDPR using the articles above. This is line with GMC guidance (confidentiality: good practice in handling patient information - see below*).
Implied consent also covers access for local clinical audit purposes, provided this is carried out by the direct health care team. The Cotswold Diagnostic Clinic does perform regular audits, but the patient identifiable information is not shared with anyone else.
Reference: Guidelines from the General Medical Council*
Relevant information should be shared with those who provide or support direct care to a patient, unless the patient has objected. The usual basis for sharing information for a patient’s own care is the patient’s consent, whether that is explicit or implied (see consent definition at the top of the page).
Implied consent may be relied upon to access relevant information about the patient or to share it with those who provide (or support the provision of) direct care to the patient if all of the following are met:
- Information is being accessed to provide or
support the individual patient’s direct care or the person being sent the
information is accessing or
receiving it for this purpose (i.e. GP surgery).
- Information is readily available to patients, explaining how their information will be used and that they have the right to object. This can be provided in leaflets and posters, on websites, and face to face (e.g. a privacy notice).
- There is no reason to believe the patient has objected.
- Anyone receiving personal data understands that it is given in confidence, which must be respected (i.e. GP surgery staff).
What kind of personal data does the Cotswold Diagnostic Clinic hold about it's patients?
- Identity details – name, date of birth
- Contact details – address, telephone, email address.
- Results of ultrasound and MRI scans
- Details of ultrasound guided injections given
- GP practice and health professional referrer details
By providing the Cotswold Diagnostic Clinic with their contact details, patients are agreeing to the Cotswold Diagnostic Clinic using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by email (email address).
How we protect your personal data
We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal data. Further information is available on request if you are a patient who has received health care services from the Cotswold Diagnostic Clinic.
How my are my patient records shared?
Common reason for the Cotswold Diagnostic Clinic to share patient records:
- Disclosure to GPs and other health professionals for the purposes of providing direct health care and treatment to the patient.
Very uncommon or rare reasons to share patient records:
- Disclosure to those with parental responsibility for patients, including guardians.
- Disclosure to bodies with statutory investigative powers - e.g. the CQC, the GMC, the Audit Commission, the Health Service Ombudsman.
- Disclosure to solicitors, to the police, to the Courts (including a Coroner's Court), and to tribunals and enquiries.
Confidential patient-identifiable information is ONLY shared with other organisations where there is a legal basis for it as follows:
- When the patient has implicitly consented to the sharing for direct care purposes
- When the patient has given his/her explicit consent to the sharing
- When there is a Court Order or a statutory duty to share patient data
- When there is a statutory power to share patient data
How long are my health records retained for?
All patient records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate minimum length of time each type of NHS records is retained. The Cotswold Diagnostic Clinic does not keep patient records for longer than necessary.
All records are destroyed confidentially once their retention period has been met and if the Cotswold Diagnostic Clinic has made the decision that the records are no longer required.
All records for children and young people should be retained until the
patient is 25 (or 26 if they are 17 when treatment ends), or 8 years after
their death, if sooner. If a child's illness or death could be relevant to an adult condition or
have genetic implications for their family, records may be kept for longer.
The standard minimum data retention period for adults is 8 years.
Retention of records for clinical purposes can be for as long as there is a clinical need to hold the records.
For adult records, after 20 years there will be an appraisal as to the historical importance of the information and a decision made as to whether they should be destroyed or kept for archival value (i.e. would the records be useful for comparison with subsequent scans).
Your right to erasure (‘right to be forgotten’)
The right to erasure applies only in specific circumstances, for example, when the processing is no longer necessary or when the processing has been unlawful. It is extremely unlikely that these circumstances will be relevant in a health context.
Who is the data controller?
Dr Russell Young, Consultant Musculoskeletal Radiologist and Director of the Cotswold Diagnostic Clinic.
Registered with the Information Commissioner's Office as a data controller Z3530275, as required by the Data Protection Act 1998.
Declining consent for sharing personal data (right to object)
In those instances where the legal basis for sharing of confidential personal data relies on the patient's explicit or implied consent, then the patient has the right at any time to object to the information sharing.
However, this is unlikely to be necessary in a healthcare setting, as healthcare practitioners usually have compelling legitimate grounds for processing the personal data of their patient.
If a patient has concerns over sharing their personal data with others who are providing their care, then the possible consequences of declining consent will be fully explained to and discussed with the patient at the time.
At the Cotswold Diagnostic Clinic, this is only likely to occur with regard to sending a copy of the patient's ultrasound report to their GP, and this would be routinely discussed at the time of the consultation.
In instances where the legal basis for sharing personal data relies on a statutory duty/power, then the patient cannot refuse or withdraw consent for the disclosure.
Raising a concern
Patients who have a concern about any aspect of their care or treatment should contact the Cotswold Diagnostic Clinic directly (see contact details above or below on this page).
Additionally, patients have the right to complain to the Information Commissioner if they should ever be dissatisfied with the way the Cotswold Diagnostic Clinic has handled or shared their personal data:
Information Commissioner's Office (ICO)
Tel: 0303 123 1113 or 01625 545745
Where you provide personal information via email, it will only be used for the service you requested, for example when asking for information or giving feedback.
We will endeavour to ensure that all content on this website is current, but we cannot be held responsible for any problems arising from out of date or inaccurate information contained within this site.
This site also offers links to other websites which are beyond the control of the Cotswold Diagnostic Clinic.
These links are provided with the aim of enhancing your visit and helping you find other relevant information.
We cannot accept responsibility for any errors, omissions or out of date content on sites to which we link.
This website uses Google Analytics and other measurement tools to help analyse how users use the site. These tools use 'cookies', which are text files placed on your computer to collect standard internet log information and visitor behaviour information. This data is entirely anonymous.
Cookies cannot be used to get data from your hard drive, get your e-mail address or personally-identifiable information about you. The information generated by the cookie about your use of the website (including your IP address) is transmitted to Google. This information is then used to evaluate visitors' use of the website and to compile statistical reports on website activity.
We will never (and will never allow any third party) to use these statistical analytics tools to track or to collect any personally identifiable information about visitors to our site. Google will not associate your IP address with any other data held by Google. Neither will we link or seek to link, an IP address with the identity of a computer user.
You may set
your Internet browser to notify you when you receive a cookie or to prevent
cookies from being sent. Please note,
however, that by not accepting cookies, you may limit the functionality we can
provide you when you visit our site.
While we use reasonable security methods to protect the data contained within our servers, we cannot guarantee or warrant the security of the information you transmit to us, nor that the information that users supply will not be intercepted while being transmitted to us over the Internet.
Acceptance of terms
By using this website, you signify your acceptance of this policy. If you do not agree to this policy, please do not use our site. Your continued use of the site following the posting of changes to this policy will be deemed your acceptance of those changes. We do not store or track IP addresses with the exception of firewall blacklisting for security purposes.