Privacy Policy

Privacy notice

Privacy Notice – Surrey Cardiovascular Clinic (SCVC)

At Surrey Cardiovascular Clinic (SCVC), we take data privacy very seriously and carefully balance the need for timely access to important medical information with the protection of patient confidentiality.

Although many consultants maintain their own clinical records, SCVC is required to maintain an electronic record for every registered patient undergoing investigations or imaging at our facilities.

1. Data Controller

SCVC is the data controller for the information described below. Our IT infrastructure and electronic record systems are operated on our behalf by approved data processors, including MedicalSpace Ltd.

2. Information We Hold

A. Administrative and demographic data

• Name, address, date of birth
• GP details
• Telephone numbers and email address
• Next-of-kin details (if provided)
• Insurance provider and membership number
• Allergies and relevant safety information

B. Clinical records (electronic)

Stored within our secure electronic patient record systems:

• Medical correspondence, referral letters, and clinical reports
• Investigation results, imaging reports, and diagnostic data
• Relevant clinical emails and communications
• AI-generated written consultation transcripts used to support accurate clinical documentation (no audio recordings of consultations are stored)

Access is restricted to authorised clinical staff and approved imaging partners with role-based permissions that can be revoked at any time.

C. Imaging and diagnostic data

For patients undergoing CT or other imaging, identifying information (e.g. name and date of birth) may be securely processed by contracted imaging providers and software partners (e.g. VCL Group, InHealth Ltd, PostDICOM, TeraRecon, HeartFlow) using secure European-based servers. Data are retained for clinical purposes and deleted after the applicable retention period.

D. Financial and administrative records

• Invoices and services rendered (retained for up to 7 years)
• Card payment receipts (retained for up to 12 months)
  No bank or card details are stored within SCVC systems.

3. Storage and Security

Data are securely stored within encrypted cloud-based systems including:

• Virtual Clinic EPR (Medioffice) – clinical records
• Egnyte (EU servers) – secure archival administrative information
• Microsoft Teams (EU servers) – authorised internal clinical communications and MDT documentation
• JotForm (EU/London servers) – patient-submitted registration and medical information forms

Sensitive information is not transmitted by email without consent unless encrypted or password protected.

4. Data Sharing

With appropriate patient consent, authorised staff may share relevant clinical records or imaging with other healthcare providers involved in your care. In emergencies, information may be shared where necessary for urgent treatment in accordance with legal and regulatory requirements.

5. Retention

Clinical and administrative records are generally retained for up to 7 years after the last episode of care (longer where clinically or legally required), after which they are securely deleted or destroyed.

6. Regulatory Framework

SCVC manages patient information in accordance with:

• UK GDPR and Data Protection legislation
• GMC Confidentiality Guidance
• Records and Information Management policies applicable to healthcare providers

This notice forms part of SCVC’s ongoing commitment to protecting your personal and medical information while ensuring safe and effective clinical care.