Privacy Policy

This Privacy Policy outlines how The National Heart Clinic (“we”, “our”, or “us”) collects, handles, and safeguards personal information when you use our website, contact our team, or receive clinical services. We are committed to respecting your privacy and protecting your data in line with applicable UK data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. 

This notice explains what information we collect, why we collect it, how it is used, and the rights you have in relation to your data. We may revise this policy from time to time, and any updates will be published on this page.

Who does this Privacy Policy apply to?

This notice applies to any individual who contacts or receives services from The National Heart Clinic, whether by phone, email, online forms, or through our website https://thenationalheartclinic.co.uk/ 

Our Approach to Data Protection

We manage personal information responsibly and in line with recognised data protection principles. This means your data is:

  • Used lawfully and transparently
  • Collected for clear and legitimate purposes
  • Limited to what is relevant and necessary
  • Kept accurate and up to date
  • Stored only for as long as required
  • Protected against unauthorised access or misuse

How to Get in Touch?

If you have any questions about this Privacy Policy or how we use your personal information, you can contact us at email: [email protected]

How Do We Collect Your Information?

We may collect your personal information in several ways, including:

Information you provide directly

  • When booking an appointment
  • When contacting us by email, phone, online forms, or in person
  • When sharing medical history or clinical details

Information from other healthcare providers

  • Your GP, consultant, or referring clinician
  • Hospitals, clinics, or diagnostic centres
  • Imaging and cardiology services

From third parties

  • Insurance companies
  • Referring clinicians
  • Payment or finance providers

By submitting information to us, you confirm that it is accurate and – if supplied on behalf of someone else – you have their permission to do so.

What Personal Information Do We Collect?

General personal data

  • Full name, date of birth, gender
  • Address and contact details
  • Emergency contact information
  • GP details
  • Payment and billing information 
  • Insurance or third-party payor details (if applicable)

Special category (sensitive) data

We collect clinical information necessary to provide safe medical care, including:

  • Medical history, test results, diagnostic images
  • ECG, CT, MRI, ultrasound, and pathology reports
  • Notes from consultations and follow-up appointments
  • Past and current treatment information

We only process sensitive health data where legally permitted and necessary for your care.

Why Do We Use Your Information?

We process personal data only where permitted by law. Typical reasons include:

  • Providing cardiology and diagnostic services
  • Coordinating care with your GP, consultant, or healthcare team
  • Maintaining medical records
  • Managing appointments, administration, and billing
  • Meeting legal and regulatory obligations (e.g., GMC, CQC)
  • Communicating updates related to your care
  • Improving our clinical systems, processes, and patient experience
  • Protecting against fraud and ensuring system security

We rely on lawful bases such as performing a healthcare contract, legitimate interests, legal obligations, and explicit consent (when required).

Data Security Measures

We use technical and organisational security measures to prevent unauthorised access, misuse, or loss of your data. Access is restricted only to individuals who require it to deliver your care or manage related services. We use secure clinical systems, imaging platforms, and payment providers that meet UK healthcare data protection standards.

How Long Do We Keep Your Data?

Your personal and medical data is retained only for as long as necessary for clinical, legal, and regulatory purposes. Retention times follow:

  • NHS Records Management Code of Practice
  • Department of Health and Social Care guidance

Different types of records may have different retention periods depending on clinical relevance and legal requirements.

Sharing Your Personal Information With Third Parties

We may share your information only when justified by law, such as:

Healthcare partners

  • GPs, consultants, and referrers
  • Hospitals, clinics, and diagnostic centres involved in your care

Service providers 

We work with trusted third parties under strict data protection agreements, including:

  • Patient administration and booking systems
  • Secure payment processors
  • Imaging and PACS providers
  • Medical transcription services
  • IT, hosting, and cybersecurity providers
  • Billing and finance providers
  • External debt recovery agencies

Insurance and third-party payors

Where care is funded by insurers, embassies, or corporate payors, relevant information may be shared for authorisation and payment purposes.

Regulators and Authorities

We may disclose information where required by law or regulatory bodies. All third parties are required to protect your data and use it only for agreed purposes.

International Data Transfers

We do not routinely transfer your information outside the UK or EEA.
If a transfer becomes necessary-such as through a service provider, we will:

  • Ensure a lawful basis for transfer
  • Use appropriate safeguards (e.g., Standard Contractual Clauses)
  • Maintain equivalent protection for your personal data.

More details can be provided upon request.

Your Data Protection Rights

You have the following rights under UK GDPR:

  • Right of access – Obtain a copy of your personal data
  • Right to rectification – Correct inaccurate or incomplete information
  • Right to erasure – Request deletion of certain data
  • Right to restrict processing – Limit how your data is used.
  • Right to object – Object to certain types of processing (including marketing)
  • Right to data portability – Receive your data in a digital format
  • Right to withdraw consent – Withdraw consent at any time

These rights are subject to certain legal limitations, especially regarding health records.

To exercise any of your rights, contact us at email: [email protected].

We may request identification before processing your request.
We aim to respond within one month, or 21 days for automated decision-related requests.

Concerns, Complaints, or Further Information

If you have questions or concerns about how your data is handled, you can contact our Registered Manager or Data Protection Lead at email: [email protected].

You also have the right to raise concerns with the Information Commissioner’s Office (ICO).