Privacy Notice

Lynden Hill Clinics Limited (“we,” “us”) is committed to protecting your personal data. This Privacy Notice explains how we collect, use, share, and protect your information in line with the UK GDPR, the Data Protection Act 2018, the Data Use and Access Act 2025 and relevant ICO transparency requirements.

Lynden Hill Clinics Limited, registered in England and Wales under company number 02841841, is the Data Controller responsible for the personal information we collect and use.  This means we are responsible for deciding what information we collect about you, how we use it, and the safeguards we put in place to protect it. As a private healthcare provider offering rehabilitation and post‑operative recovery services, we must process certain personal and medical details to deliver safe, effective care.

Lynden Hill Clinic has appointed an external specialist Data Protection Officer (DPO) to provide independent oversight, expert advice, and support with our data protection compliance.  Our DPO services are delivered by The DPO Centre, an external consultancy firm specialising in data protection legislation.

If you have any questions about how we handle your personal information you can contact our DPO using the details below:

Email: advice@dpocentre.com

Postal address: Data Protection Officer, c/o Lynden Hill Clinic, Lynden Hill Lane, Kiln Green, Reading RG10 9XP

The DPO is independent of Lynden Hill Clinic’s clinical and administrative teams and is responsible for monitoring compliance, advising on data protection matters, and acting as a point of contact for the ICO where required.

To deliver safe, effective rehabilitation and healthcare services, we need to collect and process a range of personal information about you. This helps us understand your medical needs, coordinate your care, and ensure we are providing the highest possible clinical standards. The types of personal data we collect include:

  • Identity data (name, date of birth)
  • Contact data (phone, email, address)
  • Medical and health data (clinical notes, treatment information, referral details)
  • Emergency/next-of-kin contact details
  • Payment and billing information
  • Website usage data (cookies, analytics, IP address)
  • CCTV footage (if you attend the clinic)

We use your personal and medical information to ensure we deliver high‑quality, safe and effective rehabilitation, and healthcare services. The ways in which your data is used include:

  • To provide your treatment and rehabilitation – We use your medical history, clinical notes, assessment results and treatment information to understand your health needs, plan your care, and deliver appropriate rehabilitation services tailored to you. This includes monitoring your progress and adapting your treatment plan as required.
  • To communicate with you – We use your contact details to arrange appointments, send reminders, discuss your care, respond to your enquiries, and keep you informed about any changes affecting your treatment. Clear communication helps us provide a smooth and reliable service.
  • To coordinate your care with other professionals – Where necessary for your treatment, we may use and share relevant information with your referring clinician, GP, surgeon, therapist, or insurer. This ensures continuity of care, avoids duplication, and helps us understand the wider clinical context of your rehabilitation.
  • To maintain accurate and compliant clinical records – We use your information to update your medical record, document your progress, and ensure we meet clinical, regulatory, and professional standards. Accurate records support safe decision‑making and are a legal requirement for healthcare providers.
  • To manage billing and administration – If your care is self‑funded or covered by an insurer, we use your data to issue invoices, process payments, confirm eligibility, and manage our financial records.
  • To ensure safety, security and quality of service – CCTV footage and certain operational data may be used to maintain the safety of patients, visitors, and staff, and to protect our premises. We may also use aggregated or anonymised information to review performance, improve our services, and ensure we meet regulatory standards.
  • To handle feedback, queries, and complaints – If you contact us with a question, comment, or concern, we use the information you provide to respond appropriately and to help improve our services. If you make a formal complaint, we are required to record and review relevant details to address the issue properly.
  • To manage our website and digital services – When you use our website, we may use technical data, such as cookies or analytics, to maintain security, understand usage patterns, and improve user experience.

Data protection law requires us to identify a lawful basis every time we use or share your personal information. These legal bases explain why we are allowed to process your data and help ensure that your information is handled fairly, transparently, and in line with your expectations as a patient receiving healthcare services.

As we provide rehabilitation and post‑operative support, much of the information we process is sensitive health data, which receives additional protection under the UK GDPR.  Our processing of health information is also based on Schedule 1, Part 1 of the Data Protection Act 2018 (health or social care purposes).

Below is an explanation of the lawful bases we rely on and why they apply to the care we provide.

  • To provide your healthcare and rehabilitation – Article 6(1)(b) – We process much of your personal information because it is necessary to deliver the services you have asked us to provide. This includes arranging appointments, creating, and maintaining your medical record, assessing your needs, and delivering treatment. Without using your information in this way, we would not be able to provide your care safely or effectively.
  • To process your medical and health information – Article 9(2)(h) – Health and medical information is classed as special category data, which has extra safeguards. We are permitted to use this data because it is necessary for the provision of health or social care. This lawful basis allows clinicians, therapists, and other healthcare professionals involved in your rehabilitation to access and update your records so they can deliver appropriate and safe treatment.
  • For our legitimate interests – Article 6(1)(f) – In some situations, we use your personal data because it is necessary for purposes that support the effective running of our clinic, as long as this does not override your rights. Examples include ensuring the security of our premises, keeping internal administrative records, analysing service performance, or improving our facilities. Where we rely on this basis, we always consider your privacy and ensure the impact on your rights is minimal.
  • When you give your consent – Article 6(1)(a) – For certain optional activities, such as participating in non‑essential feedback requests, we will only use your personal data if you have given us clear consent. You have full control over this and can withdraw your consent at any time without affecting your care.
  • When the law requires us to do so – Article 6(1)(c) – On occasion, we may need to process or share your information to comply with legal obligations – for example, where regulators require us to provide certain information, or where we must report concerns relating to safeguarding or public safety. In these situations, we only share what is absolutely necessary and always act in accordance with relevant laws and professional duties.

We only share your personal information when it is necessary for your care, for the safe and effective running of our services, or when we are legally required to do so. We never sell your data, and we take care to ensure that anyone we share information with protects it in line with data protection law and professional confidentiality standards.

  • Sharing information with healthcare professionals involved in your care – To ensure you receive well‑coordinated and clinically appropriate treatment, we may share relevant information with other healthcare professionals directly involved in your rehabilitation. This may include your referring consultant, surgeon, physiotherapist, GP, or other specialists. Sharing information in this way helps maintain continuity of care, prevents duplication, and ensures all those supporting your recovery have an accurate understanding of your clinical needs.
  • Support from a local private GP during your stay – As part of our commitment to providing safe, holistic care, we work closely with a local private GP who supports patients during their stay at Lynden Hill Clinic. This GP may review your medical information, offer clinical guidance, assist with medication management, or respond to any unexpected healthcare needs that arise. Only the information necessary for them to carry out this role is shared, and all involvement is handled in strict confidence, as you would expect in any healthcare setting.
  • Sharing with insurers or funders – If your treatment is funded by an insurance provider, employer, or other third party, we may share the minimum necessary information to confirm eligibility, arrange authorisations, or process payment. We only share what is required to administer your care and funding arrangements.
  • Sharing with our trusted service providers – We work with carefully selected companies that help us deliver our services, for example, IT providers who support our clinical systems, secure data storage services, or administrative support partners. These organisations act under our instructions, must follow strict data protection requirements, and are not permitted to use your information for their own purposes.
  • Regulators and legal obligations – We may need to share certain information to comply with our legal and regulatory duties, such as with the Care Quality Commission (CQC) or other authorities. This is only done when required by law, and we limit information to what is strictly necessary.
  • CCTV and safety – If you attend our premises, you may be recorded on CCTV. This footage may be shared with authorities where needed, for example, in the event of an incident or for safety investigations.

We take the security of your personal and medical information extremely seriously. Because much of the data we hold relates to your health, we apply strict technical and organisational measures to make sure it is protected at all times. These controls are designed to prevent your information from being accessed, lost, changed, or shared in ways that are not authorised.

To keep your data safe, we use a combination of the following safeguards:

  • Secure clinical and administrative systems – Your information is stored on secure, access‑controlled systems designed specifically for handling healthcare data.
  • Role‑based access controls – Only the staff who genuinely need to access your information for your care or clinic administration are able to do so. Access rights are regularly reviewed.
  • Encryption and secure transmission – Where appropriate, data is encrypted or transmitted using secure methods to ensure it cannot be intercepted or read by unauthorised parties.
  • Physical security – Our buildings, treatment areas, and records storage locations are protected by physical security measures, including controlled entry and CCTV, to prevent unauthorised access.
  • Staff training and confidentiality – All staff receive regular training on confidentiality, data protection responsibilities, and safe handling of medical information. Everyone working with your data is bound by professional and contractual confidentiality obligations.
  • Regular monitoring and security checks – We review our systems, policies, and data protection practices to ensure they remain effective and up to date with legal and professional standards.
  • Carefully selected service providers – When we work with external companies (for example, IT or data‑hosting providers), we ensure they meet strict security requirements and handle your data only under our instructions.

These safeguards work together to ensure that your information is protected throughout your relationship with us, from the moment it is collected to its secure disposal at the end of its retention period.

There may be occasions where your personal data is stored or processed outside the UK. This can happen, for example, if one of our trusted technology providers uses secure servers located overseas.  Although many of our systems operate within the UK, some modern digital tools and cloud‑based platforms operate internationally, and we want to be clear about how we protect your information in these situations.

Whenever your data is transferred outside the UK, we take great care to ensure it remains just as safe as it is here. We only work with providers who meet strict data protection and security standards, and we ensure that any international transfers are protected by legally‑approved safeguards. These may include:

  • Legally recognised data protection agreements – We use approved mechanisms such as the International Data Transfer Agreement (IDTA) or other UK‑approved transfer safeguards. These binding agreements require the organisation receiving your data to protect it to UK GDPR standards.
  • Countries with ‘adequacy’ decisions – Some countries have been assessed by the UK government as providing data protection standards essentially equivalent to those in the UK. If your data is transferred to one of these countries, the law already recognises that the information will be adequately protected.
  • Contractual and technical safeguards – Where needed, we apply additional protections such as encryption, access controls, or contract clauses requiring the overseas provider to handle your data securely and confidentially, and to use it only for the specific purpose of supporting our services to you.
  • Minimal and necessary transfers only – We only transfer personal data internationally when it is necessary for the functioning of our systems, for the secure storage of information, or to enable us to provide efficient healthcare and administrative support. We never transfer more information than is required

We only keep your personal information for as long as it is genuinely needed. The length of time depends on the type of data, the nature of the services we provide to you, and the legal or regulatory requirements we must follow as a healthcare provider. We aim to keep your information no longer than necessary; while ensuring we maintain complete and accurate records to support your care, protect your safety, and meet our professional obligations.  Our retention of medical records follows the standards set out in the NHS Records Management Code of Practice.

  We have listed the most applicable retentions below:

  • Medical records: Because your clinical information forms an important part of your ongoing health history, we are required to retain your medical records for a set period defined by national clinical standards. These rules ensure that if you return to us in the future, or if another healthcare professional needs to understand your previous treatment, your records are available. We retain adult health records for 20 years and once the required retention period has passed, your records are securely destroyed.
  • Financial data: We retain financial data for 6 years.  This allows us to meet accounting, auditing, and taxation obligations, and to respond to any future billing queries.
  • CCTV footage: CCTV recordings are kept for 30 days, unless an incident occurs that requires us to retain the footage for longer, for example for security, safety, or legal reasons.
  • Communications, feedback, and complaints – If you contact us with a question, concern, or complaint, we keep the relevant correspondence for a period that allows us to follow up appropriately, review outcomes, and improve our services. Complaints are retained for a longer period (10 years) to ensure we meet regulatory requirements.
  • Subject Access Requests (SARs) – If you make a request to access your personal data under your data protection rights, we keep a record of the request, our response, and any related correspondence for 3 years. Keeping SAR records for this period allows us to demonstrate compliance with the UK GDPR, respond to any follow‑up questions, and evidence how we handled your request if you raise concerns with the ICO.

Once information reaches the end of its retention period, it is disposed of securely. This may include certified digital deletion, secure shredding, or other approved methods to ensure your data cannot be accessed or reconstructed.

You have several important rights over your personal data, and we want you to feel confident and informed about how to exercise them. These rights are designed to give you control, ensure transparency, and protect your privacy while allowing us to deliver safe and effective healthcare. We take these rights seriously and will always respond to any requests in a fair, timely and lawful way.  To exercise any of these rights please email us at enquiries@lynden-hill-clinic.co.uk

  • Your right to be informed – You have the right to be informed about how we collect, use, store, and share your personal information. This Privacy Notice is one of the ways we ensure you have clear and accessible information about what we do with your data, why we do it, and what safeguards we have in place. We aim to provide this information in plain, understandable language and make it available to you at the point your data is collected or as soon as reasonably possible.
  • Your right to access your data – You can request a copy of the personal data we hold about you, including your medical records, correspondence, or other relevant information. This is known as a Subject Access Request (SAR). We will provide this unless a legal exemption applies. We may ask for simple identity checks before providing copies of your information, just to make sure your data is only shared with you.
  • Your right to have incorrect information corrected – If any of the information we hold about you is inaccurate or incomplete, you can ask us to correct it. Ensuring your clinical records are accurate is essential for providing you with safe, effective treatment.
  • Your right to request deletion of your information – You may ask us to delete your personal information in certain circumstances. While this right does not usually apply to medical records, because we are legally required to maintain them, we will consider each request carefully and explain any limitations clearly and transparently.
  • Your right to restrict how your information is used – You can request that we limit how we use your information. This might apply, for example, if you believe the data is inaccurate, or if you need us to store information but not use it while a concern is being resolved.
  • Your right to object to certain types of processing – You can object to us using your data for activities that are not essential to your healthcare, for example, certain administrative tasks or optional communications. If you object, we will stop using your data unless we have a compelling legal reason to continue.
  • Your right to withdraw consent – If we rely on your consent for a particular activity, such as optional marketing or surveys, you can withdraw that consent at any time. This will never affect the care or services you receive from us.
  • Your right to data portability – You can ask for your information in a structured, commonly used format so that you can share it with another organisation, such as another care provider or health service, when applicable.
  • Your rights in relation to automated decision-making or profiling – You have the right not to be subject to decisions based solely on automated processing or profiling that could significantly affect you.  Lynden Hill Clinic does not use automated decision making or profiling tools, but should this ever change we would notify you.

If you are unhappy with how we use your data, we encourage you to raise your concerns with us first so we can resolve them quickly.  Under the Data Use & Access Act 2025, we operate a formal data complaints process.  You can contact us via the following methods:

Post: Lynden Hill Clinic, Lynden Hill Lane, Kiln Green, Reading RG10 9XP
Phone: 0118 940 1234
Email: enquiries@lynden-hill-clinic.co.uk

You also have the right to complain to the  Information Commissioner’s Office (ICO), the UK’s independent regulator for data protection.

Website: https://ico.org.uk
Postal address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline telephone number: 0303 123 1113

We use essential cookies to make our website work and to keep it secure. With your consent, we also use optional analytics and functionality cookies to understand how the site is used and to improve your experience. You can choose which optional cookies to allow via our cookie banner, and you can change your preferences at any time.

Some cookies may involve limited data being processed outside the UK; where this happens, we ensure appropriate safeguards are in place. For more information about each cookie we use and how long they last, please see our Cookie Policy.

This notice will be reviewed annually or whenever there are significant changes to how we process personal data.

Enquire Now
Enquire Now

Cookie Policy

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of these necessary cookies. View our Cookie Policy Here.

Accept & Close