Privacy policy

1. About this Privacy Policy

‍

Clean Slate Clinic Ltd ("we", "our", "us") is committed to protecting the privacy and security of personal data. We are registered as a Data Controller with the UK Information Commissioner’s Office (ICO) and comply with the UK General Data Protection Regulation (UKGDPR), the Data Protection Act 2018, the NHS Records Management Code of Practice, the Common Law Duty of Confidentiality, and Care Quality Commission (CQC) standards.

‍

This Privacy Policy explains how we handle personal data in relation to our services, including:

‍

●      What personal data we collect and hold.

‍

●      How and why we use your data.

●      Who we share your data with.

●      How we store and secure your data.

●      Your rights under data protection law.

‍

●      How to complain if you are dissatisfied.

‍

This policy applies to all personal data we process in delivering care and related business operations.

‍

‍

2. Who we are

‍

Clean Slate Clinic Ltd provides home-based and telehealth-enabled withdrawal and recovery services for individuals experiencing alcohol and substance dependence. Our registered office and contact details are provided at the end of this document.

‍

‍

3. Our legal obligations under UKGDPR and Data Protection Act 2018

‍

We process personal data in line with the following principles:

‍

●      Lawfulness, fairness, transparency.

●      Purpose limitation.

●      Data minimisation.

●      Accuracy.

●      Storage limitation.

●      Integrity and confidentiality.

●      Accountability.

We also comply with health-specific legislation and professional standards applicable to doctors, nurses, and pharmacists.

‍

‍

4. What is personal and special category data

‍

Personal data: any information relating to an identified or identifiable individual (e.g.name, date of birth, address, contact details, financial information).

Special categorydata: a subset of personal data requiring extra protection, including:

‍

●      Health information and medical history.

‍

●      Genetic and biometric data.

●      Racial or ethnic origin.

●      Sexual orientation and gender identity.

‍

●      Religious or philosophical beliefs.
‍

‍

5. Collection of your personal data

‍

We collect personal data that is necessary to provide safe and effective care. Sources include:

‍

●      Information you provide (via forms, telehealth, emails, phone calls, apps).

●      Information from other healthcare providers (GP, NHSservices, pharmacies) with your consent or as permitted by law.

‍

●      Support persons or family members where authorised.

‍

Unsolicited data: If we receive information not required for our services, we will assess whether we may lawfully retain it. If not, it will be securely deleted.

‍

Children & vulnerable persons: We only collect and process data of children and vulnerable individuals where lawful, with appropriate safeguards and consent.

‍

6. Remaining anonymous or pseudonymous

‍

You may request to interact with us anonymously or under a pseudonym where practical (e.g. general enquiries). This may not be possible where identification is necessary for safe care, prescribing, safeguarding, or legal reasons.

‍

‍

7. Purposes and lawful bases for processing

‍

We process data only where a lawful basis under UK GDPR applies. Examples:

‍

●      Consent –for specific optional services, research, or communications

‍

●      Contract –to deliver services you have signed up for

●      Legal obligation– compliance with CQC, safeguarding, tax, or NHS reporting

●      Vital interests– where necessary to protect life or health

●      Public task– providing healthcare services in the public interest

●      Legitimate interests – for administrative or quality improvement purposes, balanced against your rights
‍

‍

8. How we use and disclose your data

‍

We may use your data for:

‍

●      Clinical care and safe prescribing.

●      Service monitoring, quality assurance, and audits.

‍

●      Safeguarding children and vulnerable adults.

‍

●      Meeting regulatory requirements (CQC, NHS,GMC/NMC/GPhC).

●      Research and statistical analysis (usually de-identified).

●      Financial management (billing, payment processing).

‍

We will not use your data for marketing without explicit consent.

‍

‍

9. Data linkage and integration

‍

We may link anonymised datasets to evaluate outcomes, improve services, or conduct research. Data linking projects are subject to privacy impact assessments and robust governance.

‍

‍

10. Sharing your data with third parties

‍

We share data only where necessary and lawful, for example:

‍

●      GPs and other NHS services.

●      Pharmacies for dispensing medication.

‍

●      Regulators such as the CQC or GMC.

●      Technology providers (e.g. Semble electronic health record platform, cloud storage providers).

●      Insurers, commissioners, or funders where relevant.

‍

All third parties are required by contract to maintain data protection standards equivalent to UK GDPR.

11. International transfers

‍

Where data is transferred outside the UK (e.g. cloud providers), we ensure safeguards are in place, including:

‍

●      UK adequacy regulations (where a country is recognised as having equivalent protections).

●      International Data Transfer Agreements (IDTAs).

‍

‍

12. Storage, retention, and destruction

‍

Records are kept in line with the NHS Records Management Code of Practice. Examples:

‍

●      Adult health records: minimum 8 years.

‍

●      Children’s records: until 25th birthday (or 26th if aged 17 at conclusion of treatment).

When records are no longer required, they are securely destroyed or anonymised.

‍

‍

13. Data security

‍

We protect data using:

‍

●      Encryption in transit and at rest.

●      Multi-factor authentication.

●      Role-based access controls.

●      Staff training and confidentiality agreements.

‍

●      Regular security testing and audits.

‍

●      Incident response procedures.

‍

‍

14. Your rights

‍

You have the following rights under UK GDPR:

‍

●      Access to your data

●      Rectification of inaccuracies

●      Erasure (where applicable)

●      Restriction of processing

●      Data portability

●      Objection to processing (including for direct marketing).

●      Not to be subject to solely automated decisions with significant effects.

Requests should be submitted to our Data Protection Officer. We will respond within one month.

‍

‍

15. Notifiable Data Breaches

‍

If a data breach poses a risk to your rights and freedoms, we will:

‍

●      Notify the ICO within 72 hours.

‍

●      Inform affected individuals without undue delay where high risk exists.

‍

●      Document breaches and remedial actions.

‍

‍

16. Complaints

‍

If you are concerned about our handling of your data:

‍

1. Contact us directly (see details below).

1. If unresolved, you may complain to the ICO:

- Website: www.ico.org.uk

- Phone: 0303 123 1113

- Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

‍

17. Artificial Intelligence (AI) and your privacy

‍

We may use AI tools to support analysis and improve service delivery. AI is never used to make autonomous clinical decisions. Safeguards include:

‍

●      De-identification of data where possible

‍

●      Oversight by Clinical Governance Committee

‍

●      Regular accuracy and bias testing

●      Privacy impact assessments

●      Opt-out rights where appropriate

‍

18. Updates to this Policy

‍

We review this policy annually and update it where required by law or practice changes. Significant updates will be communicated via our website and direct notices.

‍

This policy was last updated 17th September, 2025.

‍

19. Contact Us

‍

Data Protection Officer

‍
Clean Slate Clinic Ltd
Market House, 10 Market Walk, Saffron Walden CB10 1JZ

Email: DPO-UK@cleanslateclinic.com
Phone: 0203 835 4705
ICO Registration Number: ZB866300