Privacy Notice
East Anglia Shoulder & Elbow Last updated: [07/07/2026]
This notice explains how East Anglia Shoulder & Elbow ("we", "us", "our practice") collects, uses, stores, and shares your personal information, including special category (health) data, when you use our website, contact us, or receive care from us. It's written to meet our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If you have any questions about this notice or how we handle your data, please contact us using the details in the "How to contact us" section below.
1. Who we are
East Anglia Shoulder & Elbow is a specialist orthopaedic practice providing assessment, diagnosis, and treatment of shoulder and elbow conditions.
Data Controller: East Anglia Shoulder & Elbow, 18-20 High Street, Stevenage. SG1 3EJ
ICO registration number: ZB245249
2. What information we collect
Depending on how you interact with us, we may collect:
Website and enquiry information
Name, email address, phone number, and postal address
Details you provide in contact forms, callback requests, or booking enquiries
Technical information such as IP address, browser type, and pages visited (via cookies/analytics — see our separate Cookie Notice)
Clinical and appointment information (if you become or are already a patient)
GP and referral details
Medical history, symptoms, examination findings, and diagnoses
Imaging (X-rays, MRI, ultrasound) and related reports
Treatment plans, surgical records, medication and allergy information
Correspondence with your GP, other clinicians, or insurers involved in your care
Outcome scores, follow-up notes, and any complaints or safety incident records
Payment and administrative information (private patients / insured patients)
Billing address and invoicing details
Health insurer name, policy/membership number, and authorisation details
Payment records (we do not store full card details — these are processed by our payment provider)
We collect most clinical information directly from you, your GP, or referring clinicians. We do not knowingly collect information from children without appropriate parental/guardian consent or involvement.
3. How we use your information and our legal basis
Under UK GDPR, we must have a lawful basis for processing personal data, and an additional condition for processing special category (health) data. We rely on:
Purpose Personal data basis (Art. 6) Health data condition (Art. 9) Providing clinical assessment, diagnosis, and treatment Contract / Vital interests Health or social care purposes (Art. 9(2)(h)), provided by a health professional under a duty of confidentiality Responding to website enquiries and bookings Contract / Legitimate interests N/A unless health details are volunteered, in which case explicit consent Liaising with your GP, referring consultant, or other treating clinicians Legitimate interests / Vital interests Health or social care purposes Processing insurance claims and billing Contract Explicit consent Clinical audit, safety monitoring, and service improvement Legitimate interests Health or social care purposes / substantial public interest Legal or regulatory compliance (e.g. GMC, CQC, litigation) Legal obligation Substantial public interest / legal claims Marketing communications (only if you've opted in) Consent Consent Website analytics Legitimate interests / Consent (per Cookie Notice) N/A
We never sell your personal information.
4. Who we share your information with
We share information only where necessary and appropriate, including with:
Your GP and any clinicians involved in your ongoing care
NHS organisations, where relevant to your treatment pathway
Private hospitals, clinics, or theatre facilities where your treatment takes place
Radiology and pathology services providing imaging or test results
Health insurers, where you are claiming on a policy (with your authorisation)
Anaesthetists, physiotherapists, and other allied health professionals in your care team
IT and software providers who host our clinical and administrative systems, under contractual confidentiality obligations
Regulators and professional bodies (e.g. Care Quality Commission, General Medical Council) where legally required
Professional advisers (e.g. our medical defence organisation, legal counsel) where necessary
Auditors or authorities, where required by law or in connection with legal proceedings
We do not transfer your personal data outside the UK/EEA unless a supplier requires it for hosting purposes, in which case we ensure appropriate safeguards (such as UK International Data Transfer Agreements) are in place.
5. How long we keep your information
We retain clinical records in line with NHS/Department of Health records management guidance and Royal College guidance for private practice, typically:
Adult clinical records: minimum of 8 years after the conclusion of treatment
Records relating to minors: until the patient's 25th birthday (or 26th if aged 17 at conclusion of treatment)
Imaging: in line with relevant clinical retention standards
Website enquiry data (non-patients): up to 2 years, or deleted sooner on request
Financial/billing records: 7 years, for tax and audit purposes
Where retention periods differ for specific record types, we apply the longer applicable period required by law or professional guidance.
6. Your rights
Under UK GDPR, you have the right to:
Access a copy of your personal data (Subject Access Request)
Rectification of inaccurate or incomplete data
Erasure of your data, in certain circumstances (this is limited for clinical records, which we have a legal duty to retain)
Restriction of processing in certain circumstances
Object to processing based on legitimate interests or for direct marketing
Data portability, where processing is based on consent or contract and carried out by automated means
Withdraw consent at any time, where consent is our legal basis (this does not affect processing carried out before withdrawal)
To exercise any of these rights, contact us using the details above. We will respond within one month, as required by law. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113 if you believe we have not handled your data properly.
7. How we keep your information secure
We use appropriate technical and organisational measures to protect your data, including access controls, encryption where appropriate, staff confidentiality obligations, and secure hosting arrangements with our clinical software providers. Only staff who need access to your information to carry out their role are able to do so.
8. Cookies and website analytics
Our website may use cookies and similar technologies to support functionality and understand how visitors use our site. Full details are set out in our separate [Cookie Notice], including how to manage your preferences.
9. Changes to this notice
We may update this notice from time to time to reflect changes in our practice or legal requirements. The date at the top shows when it was last revised. We encourage you to review it periodically.
10. How to contact us
If you have questions, concerns, or wish to exercise any of your rights, please contact:
East Anglia Shoulder & Elbow 18-20 High Street, Stevenage. SG1 3EJ. secretary@easae.co.uk. 07480 838014
If you are not satisfied with our response, you can contact the Information Commissioner's Office at ico.org.uk.
