The Grange Clinic

Privacy Policy

GDPR Policy

The Data Protection Act 2018 (DPA) requires a clear direction on policy for security of information held within the organisation and provides individuals with a right of access to a copy of information held about them. As of May 2018, this policy is now referred to as the General Data Protection Regulation (GDPR).

The organisation needs to collect personal information about people with whom it deals in order to carry out its business and provide its services. Such people include clients, employees (present, past and prospective), suppliers and other business contacts. The information we hold will include personal, sensitive and corporate information. In addition, we may occasionally be required to collect and use certain types of such personal information to comply with the requirements of the law. No matter how it is collected, recorded and used (e.g. on a computer or on paper) this personal information must be dealt with properly to ensure compliance with the Data Protection Act 2018.

The lawful and proper treatment of personal information by the organisation is extremely important to the success of our business and in order to maintain the confidence of our service users and employees. We ensure that the organisation treats personal information lawfully and correctly.

This policy provides direction on security against unauthorised access, unlawful processing, and loss or destruction of personal information.

General Data Protection Regulation Principles

See also: Access to Medical Records policy [*], which covers Subject Access Requests under the Data Protection Act.

We support fully and comply with the eight principles of the Act which are summarised below:

1. Personal data shall be processed fairly and lawfully.
2. Personal data shall be obtained/processed for specific lawful purposes.
3. Personal data held must be adequate, relevant and not excessive.
4. Personal data must be accurate and kept up to date.
5. Personal data shall not be kept for longer than necessary.
6. Personal data shall be processed in accordance with rights of data subjects.
7. Personal data must be kept secure.

Who does the GDPR apply to?

The GDPR applies to ‘controllers’ and ‘processors’. 
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

What information does the GDPR apply to?

Personal data
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data”
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.


The recording of data within the organisation is under the management and control of Mrs Aenone Harper-Machin, who is the IT lead Clinician for the organisation.

The quality of data, the use of templates and the use of specific coding is reviewed on an ongoing basis and the findings are discussed at clinical policy meetings.
Mrs Aenone Harper-Machin, is responsible for data quality issues within the organisation and will ensure accuracy and consistency in recording data among both the clinicians and the administrative or casual staff.
Mr David Machin is the non-clinical manager responsible for audit and exception identification and reporting within the organisation.

Any queries should be addressed to the lead Clinician.


We need to hold personal information about you on our computer system and in paper records to help us to look after your health needs, and your clinician is responsible for their accuracy and safe-keeping. Please help to keep your record up to date by informing us of any changes to your circumstances.

Clinicians and staff in the organisation have access to your medical records to enable them to do their jobs. From time to time information may be shared with others involved in your care if it is necessary. Anyone with access to your record is properly trained in confidentiality issues and is governed by both a legal and contractual duty to keep your details private.

All information about you is held securely and appropriate safeguards are in place to prevent accidental loss.

In some circumstances we may be required by law to release your details to statutory or other official bodies, for example if a court order is presented, or in the case of public health issues. In other circumstances you may be required to give written consent before information is released – such as for medical reports for insurance, solicitors etc.

To ensure your privacy, we will not disclose information over the telephone or fax unless we are sure that we are talking to you. Information will not be disclosed to family, friends, or spouses unless we have prior written consent, and we do not leave messages with others.