Privacy Policy


Your personal data may be required in order to:

    • provide healthcare
    • arrange appointments
    • manage fees and payments

and also to respond to any enquiries you may have. This Privacy Policy explains:

    • what data we collect and store
    • who we obtain this data from
    • why and how we use this data
    • what we do to keep your data safe
    • how you can find out more, or raise a concern about data protection with us.

We are committed to keeping your data safe and secure, and meeting the requirements of the General Data Protection Regulation (GDPR), namely that personal data be:

    • obtained fairly and lawfully
    • obtained for a specific and lawful purpose
    • adequate and relevant, but not excessive
    • accurate and kept up to date
    • held for no longer than necessary
    • processed in accordance with the rights of those to whom the data pertains
    • kept subject to appropriate security measures

Data Controller

The Data Controller, Yan-Chee Yu, is responsible for determining the purposes and means of processing personal data. He may be contacted by post at 11 Silverwood Way, Up Hatherley, Cheltenham, Glos, GL51 3TW, or by email at

Summary of Data Use

Table 1 shows:

    • what data is collected
    • who it is obtained from
    • why this data is collected and processed
    • the legal basis for processing this data
    • who processes this data
    • how long this data is kept, and what happens to it once it is no longer needed
    • how this data is kept safe

Data Security

Your data is kept secure at all times against unauthorised or unlawful access or loss using:

    • locked filing cabinets,
    • password protected device access,
    • GDPR compliant email storage,
    • written confidentiality and data protection agreements for data processors.

Data Transfer Outside of the EU

The Data Controller uses an email service which is GDPR compliant, which means that any data stored in this email inbox is appropriately protected even if it is stored on a server outside of the EU. Data transfer outside of the EU can also occur if we communicate via email and your email inbox is hosted on a server outside of the EU, or if we communicate by phone and one of us is located outside the EU. In such cases this will be because:

    • it relates to provision or administration of your healthcare
    • is for reasons of public interest
    • is necessary for legal reasons

What Happens if There is a Data Breach?

In the event of a data breach that is likely to result in a risk to people’s rights and freedoms, the data breach will be reported to the Information Commissioner’s Office (ICO), not later than 72 hours after it has come to light. People whose data is affected will be notified in line with current legislation.

Your Rights

  • Access – you have a right to confirmation that we are processing your data, and a copy of any of your personal data which we hold.
  • Rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • Erasure – in certain circumstances, you have a right to ask for the data we hold about you to be erased from our records (see also table 1).
  • Restriction of processing – in certain circumstances, you have a right to restrict the processing of your personal data which we hold.
  • Portability – where data is processed on the basis of consent or performance of a contract, and in addition by automated means, you have the right to have your data transferred to another Data Controller.
  • Objection – under certain circumstances, you have the right to ask us to stop processing your personal data.
  • Automated decision-making including profiling – you have the right not to be subject to legal or similarly significant effects which are based solely on automated processing.

If you wish to exercise any of these rights, please contact the Data Controller. In the event that the Data Controller refuses your request, you will be given a reason as to why, which you may challenge legally and/or with the Information Comissioner’s Office (ICO).

Raising a Concern

In the event that you have a concern about how your personal data has been handled, you have a right to complain to the Data Controller. If the situation cannot be resolved to your satisfaction, then you may contact the Information Commissioner’s Office (ICO). Details of how to do so can be found at

Reviewing and Revising our Privacy Policy

We aim to incorporate best practice into our policies, and as such a review of our Privacy Policy will take place six months (November 2018) after the GDPR becomes law on May 25th 2018. This review may take place sooner if additional relevant or significant information becomes available. After this, review will take place annually.

Notice of any amendment to this Privacy Policy will be made available on this website.