Privacy Policy for Medicana Winchester Limited
Last Updated: 4 September 2025
Medicana Winchester Limited (Company Number: 15354765) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you visit our website (www.medicana.co.uk), use our healthcare services, and when you apply for or are employed in a role within our organisation.
This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
When we explain how we handle your personal data, we use terms such as “Medicana Winchester Clinic,” “the Clinic,” “we,” “us,” or “our.” These refer to Medicana Winchester Limited (also known as Trustees of Medicana Winchester Limited, Company Number: 15354765). We are a limited company and a registered healthcare provider in England and Wales.
In almost all circumstances, we are the “data controller” of your personal data. This means we decide how and why your data is processed, ensuring that any third parties we work with also handle your data securely and in compliance with UK Data Protection Laws. If another organisation acts as the data controller for your data in a specific situation, we will inform you.
If you have any questions or concerns about your personal data, you can contact our Data Protection Officer (DPO):
📧 Email: privacy@medicana.co.uk
✔ Do we process your personal data?
✔ Do we process special category data?
✔ Do we inform you when we collect your data and how it will be used?
✔ Do we require your consent to process your data?
✔ Do we use your data for analytics?
✔ Do we share your personal data?
✔ Do we sell your personal data?
✔ Do we send you marketing communications?
✔ Do we retain your data only as long as necessary?
✔ Do we keep your data secure?
✔ Do our staff receive data protection training?
✔ Do we limit access to your personal data?
✔ Do we ensure your rights under UK GDPR are protected?
We use personal data to:
✔ Provide medical care (appointments, diagnosis, treatment).
✔ Manage patient records and process payments.
✔ Monitor and enhance service quality through audits and feedback.
✔ Meet legal and regulatory obligations (NHS, ICO, CQC compliance).
✔ Ensure security and fraud prevention (CCTV and IT monitoring).
✔ Communicate with you (appointment reminders, test results).
We do not sell your personal data to third parties.
At Medicana Winchester Clinic, we collect only the minimum necessary personal data to provide you with high-quality healthcare services and to fulfil our legal and regulatory obligations. The type of data we collect depends on your interaction with us, and we ensure that only authorised personnel with a legitimate need can access your information.
Below is a summary of the types of data we collect and why we collect them:
Contact & Demographic Data
Health & Medical Data (Special Category Data under UK GDPR)
Race & Ethnic Origin Data (Special Category Data under UK GDPR)
Religious Beliefs & Preferences (Optional & Provided by You)
Sexual Orientation, Gender Identity & Sex Life Data (Special Category Data under UK GDPR)
Genetic Data (Special Category Data under UK GDPR)
Financial & Payment Data
Other People’s Data (Next of Kin & Family Medical History)
At Medicana Winchester Clinic, we process your personal and health data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Every time we process your data, we ensure that we have a lawful basis for doing so.
Below, we explain the legal grounds under which we process your personal data:
A. Legal Bases for Processing Your Personal Data We process your personal data if:
It is Necessary to Provide Your Healthcare Services
It is in Our or a Third Party’s Legitimate Interest (Without Overriding Your Rights and Freedoms)
It is Required by Law
You Have Given Explicit Consent (When No Other Legal Basis Applies)
B. Legal Bases for Processing Special Category Data (Sensitive Health Data) Because health data is considered special category data under UK GDPR, we must have an additional legal basis when processing it. This includes:
Medical Diagnosis, Treatment & Healthcare Services
Explicit Consent
Legal Claims or Court Proceedings
Compliance with Employment Laws
Public Interest & Regulatory Compliance
This section explains how we handle the personal data of individuals who apply for a job or are employed by Medicana Winchester Limited.
As part of our recruitment and employment processes, we may collect and process the following types of personal data:
Contact and Personal Details: Full name, address, phone number, email, and date of birth.
Employment History: CVs, employment history, education, professional qualifications, and references.
Eligibility to Work: Documentation proving your right to work in the UK.
Financial Information: Bank details and tax information for payroll and expenses.
Special Category Data: Information on ethnicity, disability status, or health, which you may voluntarily provide for equal opportunities monitoring and to comply with legal requirements.
We use your data for the following purposes:
Recruitment and Selection: To evaluate your application, arrange interviews, and make a hiring decision.
Contract Management: To enter into and manage your employment contract.
Payroll and Benefits: To process your salary, taxes, and other employment benefits.
Legal Obligations: To comply with UK laws and the requirements of the NHS Jobs platform.
Internal Operations: For training, performance management, and workforce planning.
We process staff and applicant data based on the following legal grounds:
Performance of a Contract: For data needed to manage the recruitment and employment contract.
Legal Obligation: To comply with legal requirements such as tax, national insurance, and right-to-work checks.
Legitimate Interests: To manage business operations, ensure security, and prevent fraud, where your rights and freedoms are not overridden.
We only share your staff data when legally required or as part of our business processes:
NHS Jobs: To manage the recruitment process.
HMRC: For tax and National Insurance purposes.
Pension Providers and Banks: To process payroll and pension contributions.
Legal and Regulatory Bodies: To comply with legal requirements.
We retain employee records for a period required by law (e.g., 6 years after employment ends for tax purposes). Data from unsuccessful job applications is typically kept for 6 months to protect the rights of applicants and in case of any legal claims.
We collect your data through:
✔ Website Forms – Appointment bookings, contact forms.
✔ Direct Communications – Emails, phone calls, consultations.
✔ CCTV Surveillance – Recorded in public areas for security.
✔ Cookies & Tracking – Analytics from website visits (see Cookie Policy).
✔ Application Forms – Submitted via NHS Jobs or directly to us.
✔ Third Parties – References from previous employers and background check providers.
We only share your data where legally required or with your consent:
✔ NHS & Healthcare Providers – For patient referrals and medical care.
✔ Regulatory Authorities (ICO, NHS England, CQC) – Legal compliance.
✔ Payment Providers – Secure processing of transactions.
✔ Cloud Storage & IT Security Partners – Cybersecurity and data protection.
✔ For Staff and Applicants: We also share data with HMRC, pension providers, and payroll service providers as outlined in Section 5.4.
If data is transferred outside the UK, we ensure:
✔ Adequate Protection (e.g., EU countries with GDPR equivalence).
✔ Standard Contractual Clauses (SCCs) for non-EU/UK providers.
We utilise systems, technologies, and support vendors that may store or access your personal data on physical servers or in cloud storage located both within the United Kingdom and abroad. This includes locations within the European Economic Area (EEA) as well as, in limited circumstances, countries outside the EEA, such as the United States of America.
When we store or share your personal data with a third party in a country outside the UK or EEA, we implement appropriate safeguards to ensure your data is protected in accordance with applicable Data Protection Laws and the guidance provided by the Information Commissioner’s Office (ICO). These safeguards may include:
Entering into binding contractual agreements with third-party suppliers;
Implementing robust technical measures to ensure the security of your data during transfer and storage.
Additionally, if you reside outside the UK and require that part of your care is provided by a third party located in a different country, we may need to share your data with that third party. In such cases, we ensure that all necessary protections are in place to maintain the confidentiality and integrity of your personal data.
We retain your data for:
✔ Medical Records – At least 8 years (as per NHS policy).
✔ Financial Records – 6 years for legal & accounting purposes.
✔ CCTV Footage – Typically stored for 30 days, unless required for security investigations.
✔ Cookies & Analytics – Based on cookie type (see Cookie Policy).
✔ Staff Records – For a period required by law after employment ends (e.g., 6 years).
✔ Unsuccessful Applicant Data – Generally for 6 months.
We take strict measures to protect your data:
✔ Encryption & Secure Storage – Ensures protection against cyber threats.
✔ Access Controls – Only authorised personnel can access your data.
✔ Regular Security Audits – To prevent unauthorised access or breaches.
You have the right to:
✔ Access your data – Request a copy of your personal information.
✔ Correct inaccurate data – Ask us to update incorrect details.
✔ Request deletion – Under certain legal conditions.
✔ Object to processing – Especially for marketing purposes.
✔ Restrict processing – If you contest data accuracy.
✔ Data Portability – Receive your data in a structured format.
✔ Withdraw consent – If data processing is based on consent.
To exercise your rights, email privacy@medicana.co.uk.
If you are unsatisfied, you can contact the UK Information Commissioner’s Office (ICO):
📍 Website: www.ico.org.uk 📍 Phone: 0303 123 1113
When visiting our website, a cookie banner allows you to:
✔ Accept or reject Essential Cookies (required for website functionality).
✔ Manage Analytical Cookies (to improve user experience).
✔ Control Marketing Cookies (for personalised content). See our Cookie Policy for full details.
We use CCTV cameras for:
✔ Patient and staff safety.
✔ Crime prevention and investigation.
✔ Regulatory compliance. Footage is securely stored and access is restricted to authorised personnel.
We may contact you via:
✔ Phone, SMS, email, or post – For appointment reminders & test results.
✔ Voicemail messages – We ensure discretion. If your contact details change, please update us.
✔ We never use your data for marketing without consent.
✔ You can opt out anytime by contacting privacy@medicana.co.uk.
If you have concerns about our data handling:
📍 Contact our DPO at privacy@medicana.co.uk
📍 Write to Medicana Winchester Limited, Chilcomb Park, Chilcomb Lane, Winchester, SO21 1HU
📍 Complain to the ICO at www.ico.org.uk
We regularly review this policy. Changes will be posted on our website.
Need More Information? Visit www.medicana.co.uk/privacy or contact privacy@medicana.co.uk.
