Privacy Policy  


This document describes how Cardinal Clinic (“Clinic”) collects, uses and manages the information it holds about its patients, how the information may be shared and how the confidentiality of patient information is maintained.  

We take our duty to protect your personal information and confidentiality very seriously and are committed to taking appropriate measures to ensure it is held securely and only accessed by those with a need to know. We take care to meet our legal and regulatory duties.  


The Clinicians caring for you keep records about your health and any treatment and care you receive from us. These records, which may be written on paper or held on computer, help to ensure that you receive the best possible care.  


What kind of information is held about you?  

  • Personal details, such as name, address, date of birth, next of kin, GP practice & telephone numbers.  
  • Contact we have with you, such as appointments & admissions.  
  • Notes and reports about your health, treatment & care.  
  • Results of tests, such as blood tests, ECG and any x-ray or scans.  
  • Relevant information from people who care for you and know you well such as health or social care professionals, relatives, or carers.  
  • Financial information such as insurance company information, invoices, and payments.  


How we use your personal information.  

In general terms, your records are used to direct, manage, and deliver your care so that:  

  • Clinicians involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you.  
  • Health and social care professionals have the information they need to assess and improve the quality and type of care you receive.  


When do we share information about you?  

We share information about you with others directly involved in your care and also share more limited information for indirect care purposes, which are described below:  

Direct Care Purposes:  

We have a duty under the Health and Social Care Act 2012 to share information about you with other health and social care professionals directly involved in your care so that you may receive the best quality care. For example, we will send your GP a summary of any treatment given, diagnosis, test results and medication prescribed. The health and social care professionals receiving information from us about you share the same duty that we have, to keep your personal information confidential.  

If you are receiving care from other people, such as Social Care Services or the NHS we may need to share some information with them so that we can all work together for your benefit. We will only do this when either they have a genuine need for it, or we have your permission.  

Certain information is shared with external care providers who provide services relating to your care, eg. pathology laboratory and ECT services. These organisations are data controllers in their own right and have the same obligation to maintain your records confidentially.  

We will not disclose your information to any other third parties without your permission unless there are exceptional circumstances, such as when either your or somebody else’s health and safety is at risk or the law requires us to pass on information.  


Indirect Care Purposes:  

We also use the information we hold about you to:  

  • Review the care we provide to ensure it is of the highest standard and quality  
  • Ensure our services can meet patient needs in the future  
  • Investigate patient queries or complaints  
  • Ensure we receive payment for the care you receive  
  • Help train and educate clinicians 


There are strict controls on how your information is used for these purposes and unless specific to your care or finances, all data is anonymised to prevent identification. In rare circumstances we might share information with external agencies without asking your consent. Examples of this are:  

  • If there is a concern that you are putting yourself at risk of serious harm  
  • If there is a concern that you are putting another person at risk of serious harm  
  • If there is a concern that you are putting a child at risk of harm  
  • If we have been instructed to do so by a court  
  • If the information is essential for the investigation of a serious crime  
  • If you are subject to the Mental Health Act 1983, there are circumstances in which your ‘nearest relative’ must receive information, even if you object  
  • If your information falls within a category that needs to be notified for public health or other legal reasons, e.g. certain infectious diseases.  
  • Sharing financial information with a debt collection agent in order to obtain payment where such payment is more than 90 days overdue.  


Other ways in which we use your information:  

SMS text messaging reminders  

We may use your telephone number(s) to remind you of your appointment details via SMS. We ask your consent to provide this service and you can withdraw your consent at any time by contacting our Receptionist where you can request your telephone number is removed from the text reminder service.  

Surveillance Cameras (CCTV)  

We use surveillance cameras on and around the hospital site in order to:  

  • Protect staff, patients, visitors and Clinic property  
  • Apprehend and prosecute offender and provide evidence to take criminal or civil action in the courts  
  • Provide a deterrent effect and reduce unlawful activity  
  • Help provide a safer environment for all  
  • Monitor operational and safety related incidents  


You have the right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it. Requests should provide sufficient information to identify you and assist us in finding the images on our system. We reserve the right to obscure images of other parties to preserve their confidentiality. Please be aware that we only retain surveillance data for 7 days.  


Health Records  

How long health records are retained  

All patient records are kept in line with the current Records Management Code of Practice for Health & Social Care, which sets out the appropriate length of time each record should be retained. The Clinic does not keep patient records for longer than necessary and all records are destroyed confidentially once the retention period has come to an end.  


Your right to object  

You have the right to restrict how and with whom we share information in your records that identifies you. If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable. Please discuss any concerns with the clinician treating you so that you are aware of any potential impact.  


How you can access your records  

You can access your records by making a Subject Access Request. All requests should be made in writing to the Chief Privacy Officer at the address at the end of this document and accompanied by evidence of your identity. We will then provide your information as quickly as possible but within one month of receiving your written request. You will need to provide:  

  • Satisfactory evidence of your identity  
  • Authority to act on someone else’s behalf (if appropriate)  


An indication of what information you are requesting to enable us to locate it in an efficient manner.  

Whilst no charge is made to you for access to your records please be aware that we can charge a reasonable fee, based on the administrative costs of meeting your request, if a request is manifestly unfounded or excessive, particularly if it is repetitive. We reserve the right not to respond to your request in those circumstances and if we do, we will let you know why and how you can take the matter further if you wish to do so. An extension to two months for provision of records can be made where requests are complex or numerous.  



If you think any information we hold about you is inaccurate please let us know by contacting the Clinician in charge of your care or the Office Manager.  


Transferring personal data outside of the EEA  

In some cases we may transfer your personal data to countries outside the European Economic Area, for example we may use cloud computer programmes where the servers are outside of the EEA.  

Where we do so we will ensure that such transfers are compliant with GDPR and that appropriate measures are put in place to keep your Personal Data secure.  


Data Controller  

The data controller responsible for keeping your information confidential is:  

Bishops Lodge Limited t/a Cardinal Clinic  

Bishops Lodge  

Oakley Green Windsor SL4 5UL  


If you have any queries or concerns please address them to the Chief Privacy Officer at the above or email to where it will be forwarded to the relevant person. 

Last updated on 03/05/2024