Introduction
Purpose: explain how we collect, use, store and protect personal data of patients, clients, staff and suppliers in line with the UK GDPR and Data Protection Act 2018.
Scope: applies to all personal data processed by Anna’s Aesthetics across all sites and services.
Data Controller
Controllers: Anna Cripps & Lisa Beard, Anna’s Aesthetics Limited, 176 Albert Rd, Southsea, Portsmouth, Southsea PO4 0JT, 07912 077283, annapond@annasaesthetic.com
ICO Registration Number: ZC062126
Personal Data We Collect
· Patient/client identity and contact details (name, DOB, address, phone, email).
· Medical and treatment information (medical history, medications, allergies, consent forms, treatment notes, photos).
· Financial and billing information (card details via payment processor, invoices, insurance).
· Appointment, communication and marketing preferences.
· Staff and supplier personal data as required for employment/contract management.
Special Category (sensitive) Data
· Medical and health data are special category data. We process these only where necessary for healthcare provision, with explicit consent or other lawful basis permitted by law.
Purposes and Lawful Bases for Processing
· Treatment and healthcare provision - lawful basis: necessary for medical diagnosis, provision of health, and for the performance of a contract.
· Registration, scheduling and communications - lawful basis: contract performance and legitimate interests.
· Billing and insurance claims - lawful basis: contract performance and legal obligation.
· Photographs for clinical records and auditing - lawful basis: explicit consent (for marketing use) and healthcare purposes for clinical records.
· Marketing (email/SMS) - lawful basis: consent; opt-in required and easy opt-out provided.
· Staff management and payroll - lawful basis: legal obligation and contract performance.
· Quality assurance, audit and safety reporting - lawful basis: legitimate interests balanced against individuals’ rights; special-category data processed where necessary for health services.
How We Collect Data
· Directly from patients during registration, consultation, consent, online booking and communications.
· From referring clinicians, statutory registries, insurers and authorised third parties.
· From booking systems.
· Only minimal data required for the purpose is collected (data minimisation).
· Consent and Explicit Consent
· Consent is sought where required (e.g., marketing, use of identifiable photos for promotional purposes).
· Patients can withdraw consent at any time without affecting care; withdrawal does not make processing prior to withdrawal unlawful.
Data Sharing and Third Parties
We share data only where necessary and with appropriate safeguards:
· NHS or other healthcare providers (with consent or where necessary for care).
· Payment processors and insurers (for billing).
· IT and cloud service providers (data processors under contract).
· Regulatory or law enforcement bodies where legally required.
· All processors are contractually required to implement appropriate technical and organisational measures.
Data Retention
· Medical records / clinical notes: retained in line with professional guidance 8 years.
· Appointment and administrative records: retained for 7 years.
· Retention periods must be documented and periodically reviewed.
Security Measures
· Physical: secure premises, controlled access, locked storage for paper records.
· Technical: encrypted devices and backups, password policies, role-based access, secure email, up-to-date antivirus, firewalls.
· Organisational: staff training, confidentiality agreements, data-sharing contracts, regular audits.
Data Subject Rights
Patients and data subjects can:
· Request access to their personal data (Subject Access Request).
· Request rectification of inaccurate data.
· Request erasure where lawful (note: medical records retention obligations may limit this).
· Request restriction of processing.
· Object to processing (including direct marketing).
· Request data portability where applicable.
· Withdraw consent where applicable.
· Complain to the Information Commissioner’s Office (ICO) - www.ico.org.uk
Subject Access Requests (SARs) and Complaints
· SAR process: verify identity, respond within 1 month (extendable in complex cases).
· Fees: usually free unless manifestly unfounded or excessive.
· Complaints: internal complaint route: contact Anna Cripps or Lisa Beard / 07912 077283 / annapond@annasaesthetic.com. If unresolved, complain to the ICO.
Data Breach Response
· Incidents are logged and investigated. If a breach is likely to result in a risk to individuals’ rights and freedoms, we will notify the ICO within 72 hours and affected individuals where required.
· Breach response includes containment, assessment, remediation and record-keeping.
Data Protection Impact Assessments (DPIAs)
· DPIAs are completed for high-risk processing (e.g., new systems for health data, large-scale sharing, CCTV expansion).
· Findings inform mitigation and governance.
Staff Responsibilities and Training
· All staff must handle personal data lawfully and confidentially.
· Regular GDPR and confidentiality training is mandatory.
· Access is on a need-to-know basis and logged.
· Records and Accountability
· We maintain processing records in accordance with GDPR Article 30.
· Regular audits and reviews of policies, retention schedules and security.
Policy Review
This policy is reviewed annually or when required by legislative or operational changes. Next review date: June 2027.
Contact and Further Information
Data Controller: Anna Cripps & Lisa Beard
DPO / Data contact: Anna Pond & Lisa Beard / 07912 077283 / annapond@annasaesthetic.com
ICO: www.ico.org.uk — telephone: 0303 123 1113.