Privacy Notice

Last updated on: 2026-03-10

DMC Healthcare Ltd. and DMC Imaging Ltd. (DMC, the organisation) are Controllers of the personal data we hold. DMC is registered with the Information Commissioner’s Office (ICO) as a Data Controller; registration numbers can be found by searching the ICO Register using this link. DMC takes your privacy seriously and aims to provide you with information about your rights, with whom we share your information, and how we keep it secure.

How we use your information (our ‘Purposes’)

DMC collects and uses your information for the following purposes:

• To provide you with healthcare when you visit our Primary Care, Dermatology, Endoscopy, Radiology Reporting, or similar, services (including recording for training and legal defence purposes).
• To provide our services and report to our Commissioners about the service we provide to you.
• To anonymise and use your data for research into better care and practice.
• To keep our patients, visitors, and staff safe when visiting the site with the use of CCTV, for example.
• To receive and securely transfer relevant patient records where NHS services transfer to us from another provider, in order to ensure continuity of patient care.

In the sections below, we will provide more detail about what we collect, what we use it for, and our lawful basis for using it.  The UK General Data Protection Regulation (UK GDPR or GDPR) defines several lawful bases, and Controllers must specify on webpages such as this one which lawful basis we rely on when using your information.

To provide you with healthcare

What do we use your information for? 

Your doctor, radiologist, dermatologist and other health professionals caring for you, such as nurses and reception staff, need to keep records about your health and treatment to provide you with the best possible care. These records are called your ‘health care record’ and may be stored in paper form or on computer and other electronic systems.

If this NHS service has transferred to us from another provider, relevant parts of your health record will be securely transferred to DMC to allow your care to continue safely and effectively. This transfer is necessary for the provision of healthcare services under our NHS contract.

As part of this, we use your information to:

• Refer you to other healthcare providers when you need other service or tests​
• Discuss or share information about your health or care with other health or social care providers
• Share samples with laboratories for testing (like blood samples)
• Share test results with hospitals or community services (like blood test results)
• Allow out-of-hours or extended hours’ GPs to look at your health record when you are going to an appointment
• Send prescriptions to a pharmacy
• Text you in relation to healthcare services and appointments
• Provide your samples to the courier for delivery to pathology
• Share reports with the coroner
• Receive reports of appointments you have attended elsewhere, such as with the community nurse or if you have had a stay in hospital
• Produce medical reports on request from third parties such as the DVLA or your employer, but only when you have provided prior consent
• Movement of your patient records to Primary Care Support England 

What information do we collect? 

We collect the following:

• Basic details about you, such as address, date of birth, NHS number, and next of kin
• ​Contact we have had with you, such as clinical visits
• Notes and reports about your health
• Details and records about your treatment and care
• Results of x-rays, laboratory tests, etc.
• Information about your sexual life or home life
• Information about ethnicity and religion 

What is our lawful basis for using your information? 

Healthcare providers are permitted to collect, store, use and share this information under Data Protection Legislation (the UK General Data Protection Regulation), which has a specific section related to healthcare information. This is called a ‘lawful basis’. Where we are deemed to be a Data Controller, our lawful basis for using your personal data is UK GDPR Article 6(1)(e) – a task carried out in the public interest or in the exercise of official authority.  We have an NHS contract to provide our services.

We can also only use your health and other ‘special category’ or sensitive information if we apply an exception.  These are in the UK GDPR, and we use Article 9(2)(h) – for the provision of healthcare.

Please be aware that administrative staff will often access information addressed to a particular clinician to allow us to manage high volumes of communication. They are bound by confidentiality in the same way as the clinician and will keep your information private.

Transfer of Records When Services Change Provider

When NHS services change provider, patient records may be transferred to the new provider to ensure continuity of care. If responsibility for your care moves to DMC, we will securely receive relevant information from the previous provider in accordance with NHS information governance requirements and UK data protection law.

We will only receive information that is necessary for your ongoing care and will process it in line with this Privacy Notice.

About children and young people

Young people aged 16 and over are allowed to make decisions about how their health information is used and shared. They are deemed competent from this age to make decisions about their own healthcare. Under these circumstances, unless the young person agrees, a parent or guardian will not be provided with information about the care of the young person.

Where the young person is under 16, case law allows the healthcare professional to decide that the individual is competent enough to make a decision about their own healthcare.  Equally, under those circumstances, a parent or guardian will not be provided with access to information about the care of the young person.

Conversely, if a health care professional deems that the young person under 16 years of age cannot make the decision themselves, then parents or guardians will be invited into the discussion.

Parents or guardians of those under 16 should note that the application of competency (sometimes called Gillick competency) may apply to some or all elements of the confidential information about the young person.

To provide our services, report to our Commissioners and contribute to national NHS data sharing initiatives

 What do we use your information for? 

Along with activities directly related to your care, we also use information in ways that allow us to check that care is safe and provide data for the improvement and planning of services.

• Quality/ payment/ performance reports are provided to service commissioners
• Undertaking clinical audits locally to ensure safety and efficiency
• Sending practice information to other NHS bodies for national audits that are required by law (e.g., NHS Digital Audit Data Collection)
• Sending patient information to NHS Digital for research and planning purposes. Find Out More about how Patient Data is Used for Planning Research.
  • You can opt outif you wish.
• Supporting staff training
• Incident and complaint management
• As part of adhoc clinical research – information that identifies you will be removed, unless you have consented to being identified 

What is our lawful basis for using your information? 

When we use your information to conduct audits and manage our services to you, our lawful basis is UK GDPR Article 6(1)(e) – a task carried out in the public interest or in the exercise of official authority.  When use your health information for this purpose, we rely on the exception of the management of healthcare systems in Article 9(2)(h).

When we anonymise your information to use it for an adhoc clinical research purposes, we rely on our legitimate interests (Article 6(1)(f)) to understand and develop new methods of care for individuals and the research exception in Article 9(2)(j).

Do we transfer any of your information outside of the UK?

For your radiology service, we employ the services of Apollo Radiology International (ARI) to provide out-of-hours support and to allow us to provide an around-the-clock service. Radiologists are based in India and have ‘view only’ remote access to your personal data through the same systems (based here in the UK) that our UK radiologists use.  No data is allowed to be taken out of the system, and we have strong security controls around access. All radiologists are registered with the Royal College of Radiologists.

As required by UK GDPR, we have put contracts in place with ARI (called International Data Transfer Agreements) which are mandated by the Information Commissioner’s Office, and which protect your personal data.

To help keep our visitors and staff safe 

What do we use your information for?

DMC Healthcare Ltd. use CCTV at specified locations to protect patients, staff, and visitors from abuse or crime. CCTV footage is commonly used as a deterrent and can assist police if necessary.

• DMC Crystal Palace Road Medical Centre (SE22 9EP)
• DMC Chadwick Road Surgery (SE15 4PU)

Within these premises, areas which have CCTV coverage include:

• External front & rear entrance Points
• External car park areas
• Reception & patient waiting rooms
• Common corridors
• Head office (all levels)

For DMC Healthcare Ltd. to support with providing healthcare services, it is lawful to implement measures to safeguard individuals on the property and guarantee the safety of both staff and patients.

What is our Lawful Basis?

Under UK GDPR, our lawful basis for the use of CCTV is Article 6(1)(f) – legitimate interests. DMC has also ensured that the CCTV is only in place in the more public areas of the premises and that surveillance does not extend to clinical / consulting rooms or washrooms where privacy for individuals is expected.  CCTV recordings are kept securely for 28 days. A copy of the recording within this timeframe can be requested, and you can raise concerns with our Data Protection Officer.

Sharing your information when required to by Law

We will occasionally have a legal obligation to share your information and will not always be able to discuss this with you directly. Examples might be for the purposes of detection or prevention of crime, where it is in the wider public interest, to safeguard children or vulnerable adults, reporting infectious diseases, or where required by court order.

Care Quality Commission access to health records

The Care Quality Commission (CQC) has powers under the Health and Social Care Act 2008 to access and use your health information when necessary to carry out their functions as a regulator. This means inspectors may ask to review certain records to decide whether we are providing safe, high-quality care. More information about the CQC can be found on their website.

To share information with the CQC, we will rely on the lawful basis of UK GDPR Article 6(1)(e) – a task carried out in the public interest or in the exercise of official authority, and Article 9(2)(i)  of ensuring high standards of quality and safety of healthcare.

Suppliers we use to support our Services (Data Processors)

We use several providers who process your personal data on our behalf. All providers are bound by contract to keep your information safe and in line with UK GDPR requirements.

Data Protection Rights

Data protection law provides you with a number of rights, which we are committed to supporting you with;

Right to Access

You have the right to obtain:

• Confirmation that we are using, storing, or sharing your information.
• A copy of the information we hold about you.

​We will respond to your request within one month or inform you if it will take longer. ​We are required to validate your identity, including the identity of someone making a request on your behalf​.

Right to Object or Withdraw Consent

• You have the right to object to our use, storage, and sharing of your information if it is not essential for delivering your healthcare.
• If we are using, storing, and sharing your information based on your explicit consent, you can withdraw that consent at any time.
• You can opt out of sharing your confidential patient information for research and planning. However, your information may still be used in certain situations, such as during an epidemic. You can also consent to participate in specific research projects.
• Visit uk/your-nhs-data-mattersto opt out.

Our Data Protection Officer is available to discuss any concerns you have.

Right to Rectification

If your information is incorrect, you can request that we correct it. There may be occasions when we are legally required to maintain the original information – our Data Protection Officer will discuss this with you, and you may request that the information is not used during this time. ​We will respond to your request within one month or inform you if it will take longer.

​Information Technology

We will use third parties to provide services involving your information, such as;

• Removal and destruction of confidential waste
• Provision of clinical systems
• Provision of connectivity and servers
• Digital dictation services
• Data analytics or warehousing (used for decisions about care or organisational efficiency, never for selling personal data to organisations not related to your care delivery).

​We have contracts in place with these third parties that prevent them from using it in any other way it’s instructed and require them to maintain high standards of security to ensure your confidentiality.

Keeping Your Information Safe

We are committed to ensuring the security and confidentiality of your information through:

• Annual staff training on data protection
• Regularly reviewing Organisational policies
• Minimising data sharing and access
• Restricted system access to authorised personnel only
• Encrypted emails and storage
• Incident reporting and management for continuous improvement
• Contracts with providers and suppliers to protect your data
• Not sending your data outside of the European Economic Area (EEA) 

How Long Do We Keep Your Information?

In line with the Department of Health Code, we will retain/store your health record for your lifetime. After a patient dies, we will send the record to Primary Care Services England, where it is generally destroyed after 10 years, unless there is a reason to keep it for longer. ​If you move or register with another provider, we will send your records to the new provider. Our CCTV footage is kept for no longer than 28 days before being overwritten.

Questions or Complaints

For questions or requests related to your personal data, please contact us using the details on our main page or our Data Protection Officer (DPO) at dpo.dmchealthcare@kdpc.uk. Our DPO service is provided by Kaleidoscope Consultants Ltd. We aim to remove references to individual patients when seeking their support, using the minimum necessary information when needed. More information about Kaleidoscope Consultants Ltd. can be found at www.kaleidoscopeconsultants.com.

You also have the right to complain. You can do so initially through our DPO. If unsatisfied by the response, you can send your complaint to the UK Information Commissioner’s Office:

• Telephone: 0303 123 1113
• Website: Make a complaint | ICO(includes a live chat service)

Cookies and Consent Rights

Our website uses cookies to enhance your browsing experience and provide personalised services. Cookies are small text files stored on your device that help us understand how you use our website, remember your preferences, and improve site functionality. By using our website, you consent to our use of cookies. However, you have the right to manage your cookie preferences at any time. You can adjust your browser settings to refuse cookies or alert you when cookies are being sent. Your consent and privacy rights are important to us, and we are committed to protecting your personal data while ensuring a seamless online experience.

Changes to This Policy

We may update this Privacy Notice from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically to stay informed about how we protect your data and privacy.