Privacy Policy

Privacy Policy

Policy Statement

UK Health Consultancy Ltd (“UKHC”) processes personal data that relates to contractors and patients and is therefore required by law to comply with the Data Protection Act 2018 (“DPA”) and The General Data Protection Regulation 2016/679 (“GDPR”), which protects the privacy of individual’s personal data and ensures that it is processed fairly and lawfully. UKHC is committed to ensuring that it complies with the DPA and the GDPR to protect the interests of contractors and patients and to maintain the confidentiality and security of personal data held. To do this, UKHC will comply with the eight data protection principles. In summary, these state that personal data shall be:

  • fairly and lawfully processed;
  • processed for limited purposes (i.e. obtained only for specified and lawful purposes and further processed only in a compatible manner);
  • adequate, relevant and not excessive;
  • accurate and up to date;
  • not kept for longer than is necessary;
  • processed in line with the individual’s rights;
  • kept secure;
  • not transferred to countries outside the European Economic Area without adequate protection.


This website is operated by UK Health Consultancy (“we”, “our” and “us” are words used to refer to UK Health Consultancy within this policy). By using and visiting our website and by submitting your information to us, you agree to us using your information as set out in this privacy policy. This privacy policy applies solely to the website and not to any other website or service. We may make changes to this policy from time to time. If we do make changes, we will post the changes on this page and they will apply from the time that we post them. This policy was last changed on [Insert appropriate date here].

Your Personal Data

Any personal information that you do provide us with is used exclusively by UK Health Consultancy to inform you of current and future activities relating to UK Health Consultancy as described in this website. We will treat the personal information that you have supplied to us in accordance with our responsibilities under the EU General Data Protection Regulation (GDPR) and the Data Protection Act 1998 as it applies in the United Kingdom and will not pass it to any outside organisations or individuals unless we are required to do so by law.


This Data Protection, Confidentiality and Information Security Policy applies to all employees and others who have legitimate rights to access and use UKHC’s information systems.

Compliance with the applicable laws and this policy is the responsibility of all employees. A breach of this policy, whether deliberate or through negligence, could lead to disciplinary action being taken.

The following table lists key responsibilities:

Team Member Responsibility
Khadija Mouhajer Main point of contact for data protection related queries; subject access requests

Definition of Personal Data

As an employer and to provide effective care for patients, UKHC processes personal data of employees and contractor’s patients. Personal data relates to information about, or correspondence relating to, a named individual. Some examples of the personal data processed are as follows:

  • personal information and contact details, including the patient’s name, address and date of birth;
  • medical histories (e.g. past or current medical conditions, current medication, consultant details);
  • results of examinations, including x-rays and clinical photographs;
  • information about appointments;
  • any treatments and their costs;
  • any proposed care, including advice given to the patient and referrals the patient, might need;
  • any concerns that the patient or UKHC team might have;
  • details of the patient’s consent for specific procedures;
  • correspondence with other healthcare workers that relates to the patient’s care.


Procedures for Ensuring Compliance with Applicable Laws and the Confidentiality and Security of Personal Data 

All Staff

  • Comply with the 8 data protection principles
  • Attend training and awareness sessions in processing personal data and confidentiality as per the guidance set out by the Information Commissioners Office (“ICO”).
  • Keep any personal data or confidential data that they hold, whether in electronic or paper format, securely, which includes:
  • storing paper files with personal data in lockable filing cabinets that are locked when authorised staff are not present to monitor access;
  • ensure emails containing personal data are sent encrypted;
  • storing electronic files containing personal data on password-protected computer systems;
  • ‘screen-locking’ unattended computers;
  • not sharing computer passwords with unauthorised parties/people, not writing down passwords and not keeping passwords on or near their computer;
  • holding personal data on laptops only where there is a clear business necessity and permission is sought from the Managing Director (if there is a necessity, ensure it is fully encrypted);
  • avoiding carrying personal data on removable media (e.g. memory sticks or CD-roms);
  • not using unlicensed software on company computers;
  • ensuring windows and doors are secured within the office.
  • Practice good record-keeping, and ensure that records are:
  • accurate;
  • dated;
  • contemporaneous;
  • comprehensive;
  • secure;
  • legible and written in language that can be read and understood by others, and is not derogatory.
  • Maintain the confidentiality of any personal data by, for example:
  • ensuring that personal information is not disclosed either orally or in writing, accidentally or otherwise, to any unauthorised third party (e.g. avoid working on personal data such as application forms on public transport, do not discuss identifiable information about patients with anyone outside the organisation, including friends, family and schools, or leave messages about a patient’s care with an unauthorised third party or via voicemail);
  • respecting patient privacy for discussions of a sensitive nature (e.g. discussion of medical information, payment, or asking patients for proof of exemption status);
  • using personal data only for the purposes for which they are authorised in the relevant Data Protection registration.
  • Ensure patients know what information is to be shared, why it is being shared and the likely consequences of sharing (or not sharing) the information, and give patients the opportunity to withhold permission to share their information. Please see our Privacy Notice for further information.
  • Share personal data only on a ‘need to know’ basis and following consent from the patient; for example:
  • to another health professional for the provision of effective care and/or treatment;
  • to ensure the provision of care under an authorised third party (e.g. treatment at an authorised third party’s facility).
  • Check that any personal information that you provide in connection with your employment is accurate and up to date, and inform the Managing Director of any changes to this information.
  • Inform the Managing Director of any suspected or actual data protection breach and report it to the ICO where appropriate and in line with the ICO reporting guidelines.


General Practices 

  • Keys for lockable storage cabinets are held only by the Managing Director.
  • Each computer is fitted with anti-virus software.
  • Electronic devices are encrypted.
  • Daily back-ups of records are made and stored within a cloud-based server.
  • Back-ups are tested to ensure data can be retrieved in a useable format.
  • Personal data is reviewed, updated and deleted in a confidential and secure manner when no longer required.
  • Windows and doors to the building are fitted with locks and the building is fitted with an intruder alarm that is set each night to increase security.


Sharing Personal Information

To provide the patient with appropriate care, we might need to share personal data with:

  • health professional(s) who may be caring for the patient;
  • the patient’s GP;
  • authorised third parties who will be providing services to the patient by way of UKHC referrals;
  • contractor payment authorities;
  • Embassies (as applicable).

In these cases, only the minimum information required will be shared.

Disclosure Without Consent 

Exceptional circumstances might override the duty to maintain confidentiality. Where possible, we will inform the patient of requests to share personal information. The decision to disclose information must only be taken by the Managing Director. Examples include:

  • situations where there is a serious public health risk or risk of harm to other individuals;
  • when information is required by the police to prevent or detect crime or to apprehend or prosecute offenders (if not providing the information would prejudice these purposes);
  • in response to a court order;
  • to pursue a legal claim.


Subject Access Requests

Individuals have a right under the DPA and the GDPR to request a copy of the information held about them on. This is known as the right of subject access.

The Managing Director will deal with subject access requests and will respond to requests from patients or employees within 30 days of receipt of the request. There is no fee for the request.