Home Privacy Policy

Privacy Policy

Protecting your privacy

London Lauriston Clinic (LLC, the Clinic, we or our) is an independent provider of private healthcare in central London.  In order to provide healthcare services and receive payment for those services, LLC needs to collect and process certain information about you, which can identify you as an individual, what is commonly referred to as ‘personal data’.  We are, in almost all circumstances, the ‘Data Controller’ for the information that we collect and process about you, and you are the ‘Data Subject’. 

We are responsible for deciding how we hold and use your personal data, for taking care of your personal data and ensuring that anyone we work with, who might need to access your personal data, also takes care of it and follows our rules.  If there is ever a situation where some other organisation or person is the data controller of your personal data, we will let you know.

LLC is committed to protecting and respecting your privacy and your personal data in accordance with the UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR).

You are in control of your personal data.  For more information you can contact the Chief Executive Officer at 34 Great Titchfield Street, London W1W 8BQ or at info@LLClinics.co.uk.  We encourage people to bring concerns to our attention and we take any complaints we receive very seriously.  We aim to resolve any concern you might have quickly and easily. 

If you have contacted us with regard to your personal information but are not satisfied with our response, you can contact the UK’s Information Commissioner’s Office for further information or to make a complaint.

Our contact details

London Lauriston Clinic
34 Great Titchfield Street, London W1W 8BQ
Telephone: 020 4511 0444
Email:  info@LLClinics.co.uk

Contact for personal data

If you have any questions or concerns regarding the personal data that we hold on you, or how we use your personal data, please contact our Chief Executive Officer on info@LLClinics or 020 4511 0444.

What personal data we collect

We collect personal information about you when you contact us about our services, make an appointment with us for treatment or are referred to us by another medical professional, or apply for a job with us.

In order to support your care, our clinicians maintain records about you. This can include:

  • Your name, contact details, date of birth, next of kin and any carers.
  • Details of your appointments, clinic visits, etc.
  • Records about your health, treatment and care.
  • Results of investigations, such as laboratory tests, and x-rays.
  • Information from other health professionals.
  • Only where medically relevant, details of your genetic characteristics or genetic sequence, your sexual preferences, sex life and/or gender identity.

There will also be a need to collect your financial information, or of any sponsor or insurer, including details of your bank cards, bank account, insurance details or other financial data depending on how you choose to pay for any of our goods or services.

We also collect information about you when you complete our patient satisfaction feedback questionnaire or submit your details for a job application.

As you interact with our website, we may automatically collect personal data by using cookies; this will however be dictated by the cookies that you allow.

Where we get your personal data from

Most of the personal information we process is provided to us directly by you via our Patient Registration Form.  We may also receive personal information indirectly, from your consultant, general practitioner (GP), NHS Trust, independent healthcare provider, insurer, family member or international medical service.  We almost never obtain information about you without your prior knowledge; you should know about personal information being sent to us prior to us receiving it.

Your website usage data may be collected and processed if you choose to allow cookies to collect your information.

How we lawfully process your personal data

Under UK GDPR, we are required to show a clear link between types of personal data processed, the purpose of processing, the lawful basis for using personal data, and what exceptions are relied upon for processing special category data.  The table below shows what personal data we process, its purpose and lawful basis, and the exceptions we rely upon to process special category data, at the Clinic.

Purpose of processing
Types of personal data
Lawful basis for processing personal data
Lawful basis for processing special categories of personal data
Contacting you following an enquiry from you through our website, by email, or by telephone.

Basic contact details for a patient, such as name, address, date of birth, next of kin, email address, and telephone numbers.

Special category personal data concerning health, such as diagnostic tests, allergies, assessments, care treatment plans, past and future appointments. This may also include, where medically relevant, genetic data, concerning inherited genetic characteristics.

Contractual obligation, Article 6(1)(b).

Healthcare condition, Article 9(2)(h).

Vital interests of data subject condition, Article 9(2)(c).

Legal defence condition, Article 9(2)(f).

Disclose information to regulatory bodies or information organisations.

Basic contact details for a patient, such as name, address, date of birth, next of kin, email address, and telephone numbers.

Basic contact details for persons providing care to a patient, such as carers, relatives, etc.

Special category personal data concerning health, such as diagnostic tests, allergies, assessments, care treatment plans, past and future appointments. This may also include, where medically relevant, genetic data, concerning inherited genetic characteristics.

Legal obligation, Article 6(1)(c)

Substantial public interest condition, Article 9(2)(g).

Public interest in area of public health condition, Article 9(2)(i).

To provide you with healthcare and related services.

Basic contact details for a patient, such as name, address, date of birth, next of kin, email address, and telephone numbers.

Basic contact details for persons providing care to a patient, such as carers, relatives, etc.

Special category personal data concerning health, such as diagnostic tests, allergies, assessments, care treatment plans, past and future appointments. This may also include, where medically relevant, genetic data, concerning inherited genetic characteristics.

Contractual obligation, Article 6(1)(b). 

Healthcare condition, Article 9(2)(h).

Vital interest of the data subject condition, Article 9(2)(c). 

Communicating with, or updating, third party healthcare professionals regarding your care following a referral.

Sharing updates about your care with insurance companies.

Basic contact details for a patient, such as name, address, date of birth, email address, and telephone numbers.

Special category personal data concerning health, such as diagnostic tests, assessments, care treatment plans, past and future appointments. This may also include, where medically relevant, genetic data concerning inherited genetic characteristics.

Consent, Article 6(1)(a).

Contractual obligation, Article 6(1)(b).

Legitimate interests, Article 6(1)(f).

Healthcare condition, Article 9(2)(h), as above.

Public interest in the area of public health condition, Article 9(2)(i).

To ensure that your account and billing are accurate, in the processing of payments.

Basic contact details for a patient, such as name, address, date of birth, email address, and telephone numbers.

Medical insurance details.

Debit/credit card information.

Special category personal data concerning health, such as diagnostic tests, treatments, and prescribed medication.

Contractual obligation, Article 6(1)(b).

Legitimate interests, Article 6(1)(f).

Healthcare condition, Article 9(2)(h).

Legal defence condition, Article 9(2)(f)

Vital interests of the data subject condition, Article 9(2)(c)

To inform you about our events and news (marketing info).

Basic contact details for a patient, such as name, address, date of birth, email address, and telephone numbers.

Marketing preferences

Consent, Article 6(1)(a).  
To process and analyse your feedback or answer any complaint or legal claim from you. Basic contact details for a patient, such as name, address, date of birth, email address, and telephone numbers.
Special category personal data concerning health, such as diagnostic tests, assessments, care treatment plans, past and future appointments. This may also include, where medically relevant, genetic data concerning inherited genetic characteristics.

Consent, Article 6(1)(a).

Legal obligation. Article 6(1)(c)

Legitimate interests, Article 6(1)(f)

Legal defence condition, Article 9(2)(f)
Use of CCTV for securing purposes. Still images and videos, including time and date, of your visit to the Clinic. Legitimate interests, Article 6(1)(f).  
To improve the functionality and security of our website. Website usage data, plus technical data which includes IP address, browser type, time zone setting and location, browser plug-in types and versions, operating system and platform.

Consent, Article 6(1)(a).

Legitimate interests, Article 6(1)(f).

 
What is special category data?

UK GDPR singles out some types of sensitive personal data and gives them extra protection.  
Special category data is defined at Article 9 of UK GDPR and includes personal data revealing: racial or ethnic origin; genetic data, relating to inherited genetic characteristics of a natural person; biometric data, which allow the unique identification of a natural person; data concerning health; and data concerning a natural person’s sex life or sexual orientation.

What does UK GDPR say about processing special category data?

Article 9 prohibits the processing of special category data unless it is for one of the ten provided exceptions.  We only process special category data where we can meet the condition of Article 9(2)(h) of UK GDPR, where processing is necessary for the purposes of … medical diagnosis, the provision of health care … pursuant to contract with a health professional …”

What are the Relevant Lawful Bases and Special Category Data Conditions?

In most cases, LLC will rely on Article 6(1)(b) and Article 9(2)(h) of the UK GDPR for the processing of your personal data.

Contractual obligation, Article 6(1)(b) — “… necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract …”.

Healthcare condition, Article 9(2)(h) – “… necessary for the purposes of … medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of … law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 of Article 9”.

In addition, LLC may rely on one or more of the following bases including when sharing personal data:

Consent, Article 6(1)(a) – “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.”

Legal obligation, Article 6(1)(c) – “processing is necessary for compliance with a legal obligation to which the controller is subject”

Vital interest, Article 6(1)(d) – ” processing is necessary in order to protect the vital interests of the data subject or of another natural person”

Public interest, Article 6(1)(e) – “processing relates to personal data which are manifestly made public by the data subject”

Legitimate interests, Article 6(1)(f) – “… necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”

When processing special category data LLC may also rely on:

Vital interests of the Data Subject, Article 9(2)(c) – “… necessary to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent …”

Legal defence, Article 9(2)(f) – “… processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity …”;

Substantial public interest, Article 9(2)(g) – “… necessary for reasons of substantial public interest …”

Public interest in the area of public health, Article 9(2)(i) – “… necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health … “

How we will use your information

We will use information about you to enable us to arrange appointments with the appropriate clinician and/or investigations or treatments to ensure that you are receiving care appropriate to your clinical needs.

We will not disclose your personal data without your permission except in exceptional circumstances (i.e. life or death situations), unless we are required to do so by law.

If you have been referred to us for consultation/investigation/treatment by another medical or allied professional, we may disclose details of your investigations/treatment to them where appropriate. We will discuss any disclosure with you in advance. You can ask for some information not to be shared but this may result in the delivery of your care being less efficient.             

We may share your information with selected third parties including clinical facilities, suppliers and sub-contractors for the performance of any contract we enter into with them or you; credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.

We will share information about your treatment with us with your insurance company in line with the terms of the policy that you have in place with them.

We will use your information to provide you with details about other services or products that we offer that we think will be relevant to your ongoing care or of may be of interest to you.

We may use your information to respond or investigate any queries or complaint, or to conduct analysis or evaluate our services.

We use the personal information that you have given or third-parties have provided to us:

  • To support delivery of healthcare and treatment.
  • To ensure that your treatment is safe and effective.
  • To work effectively with other organisations who may be involved in your care and/or treatment.
  • To review care provided to ensure it is of the highest standard possible.
  • To process payment for good and services.
  • To train healthcare professionals.
  • For research and audit purposes.
  • To meet our legal obligations placed on us under English Law as a healthcare provider where we must have certain information about those we care for.

Marketing

We would like to send you information about products and services of ours and other companies we work with which may be of interest to you.  If you have consented to receive marketing, you may opt out at a later date.

You have a right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, please email info@LLClinics.co.uk.

Access to your information

Under the UK GDPR you have a number of rights with regard to how your personal data is handled. You have the right to request a copy of the information that we hold about you. If you would like a copy of some, or all, of your personal information please email the Chief Executive Officer at info@LLClinics.co.uk or write to us at the following address:  34 Great Titchfield Street, London W1W 8BQ.

If your personal details change, or it comes to your attention that the information we hold about you is inaccurate in any way please let us know and we will make the appropriate corrections.

How we store your personal data

We use systems, technology and support vendors who may store or have access to physical or cloud storage which resides in the UK or abroad.  This includes countries both within the European Economic Area (“EEA”) and, in limited circumstances, those further afield, for example in the United States of America.

Where we store or share personal data with a third party in a country outside of the UK or EEA, we will put appropriate safeguards in place to protect that data in accordance with relevant data protection laws and the ICO’s guidance.  These range from a contract with the third party supplier through to technical measures to protect it while it gets there.

We may also need to share your data with a third party in a country outside of the UK if you are a resident of another country and that third party is authorising or providing part of your care.

Whom we share your personal data with

We avoid sharing your data with anyone outside of the Clinic.  There will however be situations where this is not possible, and a third party will need to access or be given a copy of your personal data.  Examples of who we share data with include:

  • Consultants who are Data Controllers in their own right, in order to deliver care.
  • Suppliers, in order to support our IT infrastructure.
  • Regulators, authorities, or government bodies, in order to meet our legal obligations.
  • Insurance companies, medical experts or external legal advisors, in order to resolve a legal claim
  • Your GP, NHS Trust, or international medical service, only at your request, for the provision of medical care.
  • Third parties for the purposes of debt collection.
  • Third party payment processors.
  • Delivery companies for transport services.

Where personal data identifying you is not required, we will avoid using it as much as possible and may either anonymise the data or hide your details.

Data retention

As outlined in the UK Data Protection Act 2018, personal data should be limited to only what is necessary and retained no longer than necessary. 

The Clinic only keeps your data for as long as it is required either by English Law, health regulatory best practice, codes of practice or our own legitimate business needs.  The range of retentions varies per type of data.  We align our retention periods for the storage of patient information and records to the NHS Records Management Code of Practice.

You can request a copy of the LLC Data Retention Policy from the reception desk or download a copy from our website.

Protecting your data

We protect the personal data we hold from theft, accidental loss, corruption, and other threats that would have a negative impact on our patients, consultants, staff and suppliers.  These protective measures include:

  • Not collecting personal data that we don’t really need.
  • Destroying or anonymising personal data securely when we don’t need it anymore.
  • Only allowing our staff and our suppliers to process the personal data they need to carry out their duties.
  • Encrypting personal data to render it useless to anyone who is not authorised to access it.
  • Making sure that all consultants and staff are trained on how to handle personal data safely and securely and are fully aware of their personal responsibilities.
  • Binding our suppliers to the same standards and duties of care that we hold ourselves to, with contractual controls.
  • Protecting our website, network and IT system from unauthorised access and from threats such as denial of service attacks, viruses and malware.
  • Making periodic checks that all of these measures are working well and making improvements to them when we think we can do better.
  • Ensuring backups are completed on a daily basis.

LLC is committed to ensuring a high level of protection for your personal data while it is under our control.

Your data protection rights

Under data protection legislation, with regard to personal data, you have rights including:

Your right of access – You have the right to ask us for copies of your personal information.

Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances. (‘Right to be Forgotten’)

Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances.

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.  Please contact LLC’s Chief Executive Officer at 34 Great Titchfield Street, London W1W 8BQ or at info@LLClinics.co.uk, if you wish to make a request.

Right to withdraw consent

You can withdraw your consent to receive information about our events and news at any time by using the unsubscribe link contained in all relevant communications or by contacting our Chief Executive Officer.

You do also have the right to refuse/withdraw consent to information sharing at any time. We will fully explain the possible consequences to you at such a time as withdrawing consent could include delays in you receiving care.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to our Chief Executive Officer at 34 Great Titchfield Street, London W1W 8BQ or at info@LLClinics.co.uk.

You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have used your personal data.

The ICO’s address:            
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire
SK9 5AF

Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk

Changes to our privacy policy

We regularly review our Privacy Policy and will update this page when necessary. This Privacy Policy was last updated on 31 January 2024, and is in effect from 1 February 2024.