Privacy Notice

East Anglia Shoulder & Elbow Last updated: [07/07/2026]

This notice explains how East Anglia Shoulder & Elbow ("we", "us", "our practice") collects, uses, stores, and shares your personal information, including special category (health) data, when you use our website, contact us, or receive care from us. It's written to meet our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions about this notice or how we handle your data, please contact us using the details in the "How to contact us" section below.

1. Who we are

East Anglia Shoulder & Elbow is a specialist orthopaedic practice providing assessment, diagnosis, and treatment of shoulder and elbow conditions.

  • Data Controller: East Anglia Shoulder & Elbow, 18-20 High Street, Stevenage. SG1 3EJ

  • ICO registration number: ZB245249

2. What information we collect

Depending on how you interact with us, we may collect:

Website and enquiry information

  • Name, email address, phone number, and postal address

  • Details you provide in contact forms, callback requests, or booking enquiries

  • Technical information such as IP address, browser type, and pages visited (via cookies/analytics — see our separate Cookie Notice)

Clinical and appointment information (if you become or are already a patient)

  • GP and referral details

  • Medical history, symptoms, examination findings, and diagnoses

  • Imaging (X-rays, MRI, ultrasound) and related reports

  • Treatment plans, surgical records, medication and allergy information

  • Correspondence with your GP, other clinicians, or insurers involved in your care

  • Outcome scores, follow-up notes, and any complaints or safety incident records

Payment and administrative information (private patients / insured patients)

  • Billing address and invoicing details

  • Health insurer name, policy/membership number, and authorisation details

  • Payment records (we do not store full card details — these are processed by our payment provider)

We collect most clinical information directly from you, your GP, or referring clinicians. We do not knowingly collect information from children without appropriate parental/guardian consent or involvement.

3. How we use your information and our legal basis

Under UK GDPR, we must have a lawful basis for processing personal data, and an additional condition for processing special category (health) data. We rely on:

Purpose Personal data basis (Art. 6) Health data condition (Art. 9) Providing clinical assessment, diagnosis, and treatment Contract / Vital interests Health or social care purposes (Art. 9(2)(h)), provided by a health professional under a duty of confidentiality Responding to website enquiries and bookings Contract / Legitimate interests N/A unless health details are volunteered, in which case explicit consent Liaising with your GP, referring consultant, or other treating clinicians Legitimate interests / Vital interests Health or social care purposes Processing insurance claims and billing Contract Explicit consent Clinical audit, safety monitoring, and service improvement Legitimate interests Health or social care purposes / substantial public interest Legal or regulatory compliance (e.g. GMC, CQC, litigation) Legal obligation Substantial public interest / legal claims Marketing communications (only if you've opted in) Consent Consent Website analytics Legitimate interests / Consent (per Cookie Notice) N/A

We never sell your personal information.

4. Who we share your information with

We share information only where necessary and appropriate, including with:

  • Your GP and any clinicians involved in your ongoing care

  • NHS organisations, where relevant to your treatment pathway

  • Private hospitals, clinics, or theatre facilities where your treatment takes place

  • Radiology and pathology services providing imaging or test results

  • Health insurers, where you are claiming on a policy (with your authorisation)

  • Anaesthetists, physiotherapists, and other allied health professionals in your care team

  • IT and software providers who host our clinical and administrative systems, under contractual confidentiality obligations

  • Regulators and professional bodies (e.g. Care Quality Commission, General Medical Council) where legally required

  • Professional advisers (e.g. our medical defence organisation, legal counsel) where necessary

  • Auditors or authorities, where required by law or in connection with legal proceedings

We do not transfer your personal data outside the UK/EEA unless a supplier requires it for hosting purposes, in which case we ensure appropriate safeguards (such as UK International Data Transfer Agreements) are in place.

5. How long we keep your information

We retain clinical records in line with NHS/Department of Health records management guidance and Royal College guidance for private practice, typically:

  • Adult clinical records: minimum of 8 years after the conclusion of treatment

  • Records relating to minors: until the patient's 25th birthday (or 26th if aged 17 at conclusion of treatment)

  • Imaging: in line with relevant clinical retention standards

  • Website enquiry data (non-patients): up to 2 years, or deleted sooner on request

  • Financial/billing records: 7 years, for tax and audit purposes

Where retention periods differ for specific record types, we apply the longer applicable period required by law or professional guidance.

6. Your rights

Under UK GDPR, you have the right to:

  • Access a copy of your personal data (Subject Access Request)

  • Rectification of inaccurate or incomplete data

  • Erasure of your data, in certain circumstances (this is limited for clinical records, which we have a legal duty to retain)

  • Restriction of processing in certain circumstances

  • Object to processing based on legitimate interests or for direct marketing

  • Data portability, where processing is based on consent or contract and carried out by automated means

  • Withdraw consent at any time, where consent is our legal basis (this does not affect processing carried out before withdrawal)

To exercise any of these rights, contact us using the details above. We will respond within one month, as required by law. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113 if you believe we have not handled your data properly.

7. How we keep your information secure

We use appropriate technical and organisational measures to protect your data, including access controls, encryption where appropriate, staff confidentiality obligations, and secure hosting arrangements with our clinical software providers. Only staff who need access to your information to carry out their role are able to do so.

8. Cookies and website analytics

Our website may use cookies and similar technologies to support functionality and understand how visitors use our site. Full details are set out in our separate [Cookie Notice], including how to manage your preferences.

9. Changes to this notice

We may update this notice from time to time to reflect changes in our practice or legal requirements. The date at the top shows when it was last revised. We encourage you to review it periodically.

10. How to contact us

If you have questions, concerns, or wish to exercise any of your rights, please contact:

East Anglia Shoulder & Elbow 18-20 High Street, Stevenage. SG1 3EJ. secretary@easae.co.uk. 07480 838014

If you are not satisfied with our response, you can contact the Information Commissioner's Office at ico.org.uk.