Privacy Policy for Medicana Winchester Limited
Last Updated: 21 February 2025
Medicana Winchester Limited (Company Number: 15354765) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you visit our website (www.medicana.co.uk) and use our healthcare services.
This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
When we explain how we handle your personal data, we use terms such as “Medicana Winchester Clinic,” “the Clinic,” “we,” “us,” or “our.” These refer to Medicana Winchester Limited (also known as Trustees of Medicana Winchester Limited, Company Number: 15354765). We are a limited company and a registered healthcare provider in England and Wales.
In almost all circumstances, we are the “data controller” of your personal data. This means we decide how and why your data is processed, ensuring that any third parties we work with also handle your data securely and in compliance with UK Data Protection Laws. If another organisation acts as the data controller for your data in a specific situation, we will inform you.
If you have any questions or concerns about your personal data, you can contact our Data Protection Officer (DPO):
📧 Email: privacy@medicana.co.uk
What We Do with Your Data
Yes, if you are a current, former, or referred patient, we may process your personal information.
Yes, if you are a current, former, or referred patient, we may process your health and medical records, which are considered special category data under UK GDPR. We process such data to provide your medical care and to ensure compliance with our legal and medical obligations. We may also process race, ethnic origin, or sexual orientation data where required for medical or regulatory reasons (see Section 3).
Yes, through physical and digital notices, including this Privacy Policy.
Not always. While some data processing requires your explicit consent, other data processing activities are legally permitted without consent under specific lawful bases (see Section 4).
Yes, we use your data for various analytical purposes, including:
- Clinical research and evaluation
- Service improvement and patient outcome analysis
- Well-being assessments and message tailoring
All analytical processing is conducted lawfully and in line with regulatory obligations.
Yes, but only where necessary, including:
- With healthcare professionals involved in your treatment
- With regulatory bodies (e.g., NHS, ICO, CQC) for compliance
- With your consent, when required
🚫 No, never!
Yes, but only with your explicit consent. You can opt-out at any time.
Yes, we follow a strict Records Retention Policy to ensure that we only keep your information for the necessary period.
Yes, we adhere to industry best practices and comply with the NHS’s Data Security and Protection Toolkit (DSPT).
Yes, all staff members receive regular and mandatory training on handling personal data securely.
Yes, only authorised personnel with a legitimate reason can access your information.
Yes. Where your rights apply, we will honour your request. If they do not apply, we will explain why.
2. How We Use Your Data
We use personal data to:
✔ Provide medical care (appointments, diagnosis, treatment).
✔ Manage patient records and process payments.
✔ Monitor and enhance service quality through audits and feedback.
✔ Meet legal and regulatory obligations (NHS, ICO, CQC compliance).
✔ Ensure security and fraud prevention (CCTV and IT monitoring).
✔ Communicate with you (appointment reminders, test results).
We do not sell your personal data to third parties.
3. What Data We Collect from You
At Medicana Winchester Clinic, we collect only the minimum necessary personal data to provide you with high-quality healthcare services and to fulfil our legal and regulatory obligations. The type of data we collect depends on your interaction with us, and we ensure that only authorised personnel with a legitimate need can access your information.
Below is a summary of the types of data we collect and why we collect them:
This includes:
✔ Name, home address, email, phone number
✔ Date of birth and identification details
Why?
We need to identify you correctly, provide medical services, and contact you regarding appointments or important healthcare updates.
This includes:
✔ Your medical history, symptoms, diagnoses, test results, and treatment records
✔ Any pre-existing conditions or ongoing treatment plans
✔ Physical and mental health records
Why?
We require this data to provide safe and effective medical care, tailor treatments to your needs, and maintain accurate health records as required by NHS regulations.
This includes:
✔ Your race, ethnicity, or heritage background
Why?
Certain health conditions and treatments may be relevant to ethnicity. We may also collect this data for monitoring equality, diversity, and inclusion in compliance with UK healthcare policies.
This includes:
✔ Any religious beliefs that impact your healthcare preferences
Why?
We do not actively request this data. However, if you voluntarily provide it, we may use it to accommodate religious-based medical preferences, such as dietary or treatment-related requests.
This includes:
✔ Your gender identity, preferred pronouns, and assigned sex at birth
✔ Details of sexual orientation or reproductive health (if medically relevant)
Why?
This information may be necessary for:
- Providing appropriate reproductive, sexual health, or gender-affirming care
- Ensuring inclusive, respectful treatment
- Addressing specific health risks associated with sexual health
You have the right to withhold this information if you do not wish to disclose it.
This includes:
✔ Genetic test results, inherited medical conditions, or genetic sequencing data
Why?
We only process genetic data when medically necessary, such as screening for hereditary conditions or personalised treatment planning.
This includes:
✔ Bank account details, credit/debit card details
✔ Insurance details (if applicable)
✔ Billing and transaction history
Why?
If you are a self-paying patient or using private health insurance, we process financial data to facilitate secure payments. We comply with Payment Card Industry Data Security Standards (PCI DSS) to protect your financial information.
This includes:
✔ Your emergency contact / next of kin (name, relationship, and phone number)
✔ Family medical history (if relevant to your diagnosis or treatment)
Why?
- Next of kin contact may be required for emergencies or consent-related matters
- Family medical history helps in assessing genetic or hereditary health risks
We will only collect next-of-kin details with your consent and will not share your health information with them unless explicitly authorised.
Key Data Protection Measures
- We never collect excessive or unnecessary data.
- Sensitive data is encrypted and stored in compliance with NHS data security protocols.
- Access to personal and health data is strictly controlled and logged.
- You can request access, correction, or deletion of your data at any time (see Section 7 for more details).
Questions About Your Data?
If you have concerns or wish to exercise your UK GDPR rights, contact our Data Protection Officer (DPO):
Email: privacy@medicana.co.uk
This version ensures clarity, compliance, and transparency, making it easy for patients to understand while maintaining the necessary legal framework.
Would you like any additional refinements?
4. How We Lawfully Process Your Data
At Medicana Winchester Clinic, we process your personal and health data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Every time we process your data, we ensure that we have a lawful basis for doing so.
Below, we explain the legal grounds under which we process your personal data:
A. Legal Bases for Processing Your Personal Data
We process your personal data if:
- To diagnose and treat your medical condition.
- To fulfil our contractual obligations to you (e.g., booking appointments, medical consultations, treatment, follow-ups).
- For billing, invoicing, accounting, and insurance claims.
- For quality control, patient safety, and service improvements.
🛡 Legal Basis: Article 6(1)(b) – Performance of a Contract
We may process your data if it is in the legitimate interest of Medicana Winchester Clinic or a third party. Examples include:
- Ensuring patient safety and medical quality assurance.
- Managing clinical risks and improving our healthcare services.
- Medical research and statistical analysis (where permitted by law and ethical review boards).
- Operational management, including compliance monitoring and internal governance.
🛡 Legal Basis: Article 6(1)(f) – Legitimate Interests (only used when your rights and freedoms are not impacted, per ICO guidance)
There are instances where we are legally required to process your personal data. These obligations include:
- Compliance with UK healthcare regulations (e.g., Care Quality Commission (CQC), NHS requirements).
- Public health reporting (e.g., disease surveillance, infection control, and medical audits).
- Regulatory compliance and fraud prevention (e.g., responding to Information Commissioner’s Office (ICO) investigations, insurance fraud checks, and legal claims management).
🛡 Legal Basis: Article 6(1)(c) – Compliance with a Legal Obligation
We may request your explicit consent in certain circumstances, such as:
- Direct marketing communications (only if you opt in).
- Participation in a clinical research study or clinical trial.
- Sharing your data with third parties not involved in your direct care (e.g., medical research collaborations).
🛡 Legal Basis: Article 6(1)(a) – Consent (You have the right to withdraw consent at any time by contacting us at privacy@medicana.co.uk.)
📌 Note: Consent for medical treatment is separate from consent for data processing. We may process your data without your explicit consent if there is another valid legal basis for doing so.
B. Legal Bases for Processing Special Category Data (Sensitive Health Data)
Because health data is considered special category data under UK GDPR, we must have an additional legal basis when processing it. This includes:
We process your health records to:
- Provide direct medical care and treatment.
- Manage hospital operations and medical workflows.
- Monitor the quality and effectiveness of healthcare services.
🛡 Legal Basis: Article 9(2)(h) – Necessary for Medical Diagnosis & Healthcare Services
Where required, we will obtain your explicit consent to process special category data, such as:
- Genetic testing and reproductive health records.
- Research participation requiring identifiable health data.
- Marketing communications regarding specific medical services.
🛡 Legal Basis: Article 9(2)(a) – Explicit Consent
We may process your special category data when it is necessary for legal claims, such as:
- Medical malpractice claims or legal defence.
- Insurance disputes related to healthcare treatments.
🛡 Legal Basis: Article 9(2)(f) – Establishing, Exercising, or Defending Legal Claims
If you are an employee, trainee, or healthcare professional at Medicana Winchester Clinic, we may process your data for:
- Occupational health assessments.
- Fitness-to-work medical evaluations.
- Employee health and safety compliance.
🛡 Legal Basis: Article 9(2)(b) – Necessary for Employment & Labour Law Compliance
We may process your data when necessary for:
- Public health protection and disease control.
- Ensuring ethical medical practices and preventing fraud.
- Complying with regulatory investigations (e.g., CQC, GMC, ICO, NHS audits).
🛡 Legal Basis: Article 9(2)(g) – Substantial Public Interest under UK Law
5. Where We Get Your Data
We collect your data through:
✔ Website Forms – Appointment bookings, contact forms.
✔ Direct Communications – Emails, phone calls, consultations.
✔ CCTV Surveillance – Recorded in public areas for security.
✔ Cookies & Tracking – Analytics from website visits (see Cookie Policy).
6. Sharing Data
We only share your data where legally required or with your consent:
✔ NHS & Healthcare Providers – For patient referrals and medical care.
✔ Regulatory Authorities (ICO, NHS England, CQC) – Legal compliance.
✔ Payment Providers – Secure processing of transactions.
✔ Cloud Storage & IT Security Partners – Cybersecurity and data protection.
If data is transferred outside the UK, we ensure:
✔ Adequate Protection (e.g., EU countries with GDPR equivalence).
✔ Standard Contractual Clauses (SCCs) for non-EU/UK providers.
7. Where Your Data is Physically Stored
We utilise systems, technologies, and support vendors that may store or access your personal data on physical servers or in cloud storage located both within the United Kingdom and abroad. This includes locations within the European Economic Area (EEA) as well as, in limited circumstances, countries outside the EEA, such as the United States of America.
When we store or share your personal data with a third party in a country outside the UK or EEA, we implement appropriate safeguards to ensure your data is protected in accordance with applicable Data Protection Laws and the guidance provided by the Information Commissioner’s Office (ICO). These safeguards may include:
- Entering into binding contractual agreements with third-party suppliers;
- Implementing robust technical measures to ensure the security of your data during transfer and storage.
Additionally, if you reside outside the UK and require that part of your care is provided by a third party located in a different country, we may need to share your data with that third party. In such cases, we ensure that all necessary protections are in place to maintain the confidentiality and integrity of your personal data.
8. Data Retention
We retain your data for:
✔ Medical Records – At least 8 years (as per NHS policy).
✔ Financial Records – 6 years for legal & accounting purposes.
✔ CCTV Footage – Typically stored for 30 days, unless required for security investigations.
✔ Cookies & Analytics – Based on cookie type (see Cookie Policy).
9. Protecting Your Data
We take strict measures to protect your data:
✔ Encryption & Secure Storage – Ensures protection against cyber threats.
✔ Access Controls – Only authorised personnel can access your data.
✔ Regular Security Audits – To prevent unauthorised access or breaches.
10. Your Rights Under UK GDPR
You have the right to:
✔ Access your data – Request a copy of your personal information.
✔ Correct inaccurate data – Ask us to update incorrect details.
✔ Request deletion – Under certain legal conditions.
✔ Object to processing – Especially for marketing purposes.
✔ Restrict processing – If you contest data accuracy.
✔ Data Portability – Receive your data in a structured format.
✔ Withdraw consent – If data processing is based on consent.
To exercise your rights, email privacy@medicana.co.uk.
If you are unsatisfied, you can contact the UK Information Commissioner’s Office (ICO):
📍 Website: www.ico.org.uk
📍 Phone: 0303 123 1113
11. Cookies & Website Tracking
When visiting our website, a cookie banner allows you to:
✔ Accept or reject Essential Cookies (required for website functionality).
✔ Manage Analytical Cookies (to improve user experience).
✔ Control Marketing Cookies (for personalised content).
See our Cookie Policy for full details.
12. CCTV Policy
We use CCTV cameras for:
✔ Patient and staff safety.
✔ Crime prevention and investigation.
✔ Regulatory compliance.
Footage is securely stored and access is restricted to authorised personnel.
13. Communication Methods
We may contact you via:
✔ Phone, SMS, email, or post – For appointment reminders & test results.
✔ Voicemail messages – We ensure discretion.
If your contact details change, please update us.
14. Marketing Policy
✔ We never use your data for marketing without consent.
✔ You can opt out anytime by contacting privacy@medicana.co.uk.
15. Making a Complaint
If you have concerns about our data handling:
📍 Contact our DPO at privacy@medicana.co.uk
📍 Write to Medicana Winchester Limited, Chilcomb Park, Chilcomb Lane, Winchester, SO21 1HU
📍 Complain to the ICO at www.ico.org.uk
16. Policy Updates
We regularly review this policy. Changes will be posted on our website.
Need More Information?
Visit www.medicana.co.uk/privacy or contact privacy@medicana.co.uk.
