Data Protection and Privacy Policy for Patients

General Statement of the Company’s Duties and Scope

We are ‘I.A.B Health LTD’ trading as ‘IAB Neuro Rehab’, a private provider of neurological rehabilitation and allied health services.

As part of our operations, we collect and process personal data relating to patients, relatives, and staff. We are committed to ensuring that personal information is handled securely, responsibly, and in compliance with applicable data protection legislation.

This policy explains how we collect, use, store, and protect personal data in accordance with:

•       The UK General Data Protection Regulation (UK GDPR)

•       The Data Protection Act 2018

•       Guidance issued by the Information Commissioner's Office (ICO).

 

Data Protection

I.A.B Health LTD is registered with the Information Commissioner’s Office (ICO) and acts as the Data Controller, determining the purposes and means of processing personal data relating to patients and service users.

ICO Registration Number: ZB965426

 

Definitions

For the purposes of this policy:

The Company: I.A.B Health LTD

Data Controller: The organisation that determines how and why personal data is processed.

Data Processor: Any individual or organisation that processes personal data on behalf of the Data Controller.

 

GDPR Principles

In accordance with the UK GDPR, we ensure that personal data is:

1.     Processed lawfully, fairly and transparently

2.     Collected for specified, explicit and legitimate purposes

3.     Adequate, relevant and limited to what is necessary

4.     Accurate and kept up to date

5.     Kept only for as long as necessary

6.     Processed securely and confidentially

7.     Protected against unauthorised or unlawful processing

8.     Not transferred outside the UK or EEA without appropriate safeguards

 

Data Control for Patients

The Company acts as the Data Controller for patient information.

Staff members will process personal data as part of their professional responsibilities. Clinical staff must comply with all relevant professional standards, regulatory requirements, and confidentiality obligations.

While data processors have legal responsibilities for their actions, the Company retains overall responsibility to ensure that processing activities comply with UK GDPR.

All employees, contractors, and associates are bound by contractual obligations relating to patient confidentiality and data protection.

 

Data Control for Clinical Associates

Clinical associates working with the Company may maintain their own clinical records and may therefore act as Data Controllers for their own professional records.

In these cases:

•        The Company may process limited patient data for appointment scheduling and administrative purposes only.

•        Clinical associates must confirm in writing that they comply with UK GDPR and professional confidentiality standards.

Any questions regarding the data protection practices of individual clinicians should be directed to the relevant practitioner.

 

External Data Processors

Where the Company uses third-party service providers (such as cloud storage systems, electronic medical record systems, or IT service providers), we ensure that:

•       All providers comply with UK GDPR requirements

•       Data processing agreements are in place

•       Appropriate technical and organisational security measures are implemented

 

What Personal Information Do We Process?

Personal and Contact Details

Reception staff collect personal information required for appointment booking and administrative purposes. This may include:

•       Title

•       Full name

•       Date of birth

•       Address

•       Telephone number

•       Email address

•       Attendance records

It is a legal requirement for healthcare providers to maintain records of appointments and attendance.

 

Special Category (Sensitive) Personal Data

Clinical records contain special category health data, including:

•       Medical history

•       Clinical assessments

•       Treatment records

•       Rehabilitation progress notes

These records are created and maintained by clinicians in accordance with professional and legal obligations.

Sensitive information will only be shared:

•       With your explicit consent, or

•       Where required by law or safeguarding obligations.

This may include sharing information with:

•       General Practitioners (GPs)

•       Other healthcare professionals

•       Health insurers

•       Legal representatives involved in medical claims

Patients may request to review correspondence or reports before they are shared.

 

How We Collect Your Information

We collect personal data when:

•       You contact us to book an appointment

•       You complete a patient registration form

•       You attend your initial consultation

•       Your clinician conducts an assessment and treatment session

During registration, patients are asked to review and sign a Privacy Notice and Data

Consent Form, confirming that they understand how their information will be processed.

 

Ownership of Clinical Records

All treatment records created during care delivered through the Company are owned by I.A.B Health LTD.

This ensures that patient records are managed securely and in accordance with data protection requirements while enabling clinicians involved in a patient’s care to access necessary information.

 

Privacy Notice and Consent

Patients (or their legal guardian) will be asked to read a Privacy Notice at the beginning of each episode of care and provide consent for the processing of their personal data.

Consent may be withdrawn at any time, although this may affect the Company’s ability to provide services.

 

Right of Access to Information

Patients have the right to request access to personal data held by the Company. This is known as a Subject Access Request (SAR).

We aim to respond to requests:

      •     Within 30 days, as required under UK GDPR.

The first copy of requested information will normally be provided free of charge.

Requests relating to records held independently by clinical associates should be directed to the relevant practitioner.

 

Data Accuracy

The Company takes reasonable steps to ensure personal data is accurate and up to date.

Patients should inform us of any changes to their contact details or personal information.

Patients also have the right to:

•       Request correction of inaccurate data

•       Request erasure of data where appropriate

However, clinical records may not be altered where there is a legal or professional requirement to retain the original information.

 

Monitoring Data Protection Compliance

The Company conducts regular data protection reviews, including:

•       Annual GDPR risk assessments

•       Data processing audits

•       Reviews of security measures

•       Monitoring of consent records

•       Recording and investigation of any data breaches

These reviews assess:

•       What information is held

•       Where data is stored

•       How data is processed

•       Compliance with internal policies

 

Data Retention and Destruction

Patient information will be retained in accordance with legal, professional, and operational requirements.

Healthcare records are generally retained for a minimum period in accordance with NHS and professional guidance.

When records are no longer required, they will be securely destroyed or permanently deleted.

 

Information Sharing

We will not share your personal information with third parties without your consent unless required by law.

If you are claiming treatment costs through a health insurer, we may need to share relevant clinical information to process your claim.

You may request to review any reports or correspondence before they are sent.

 

Marketing

We will not use your personal data for marketing purposes without your explicit consent.

We will also never sell or share your information with third parties for marketing purposes.