For a confidential chat call Freephone on 0808 258 2350
Gladstones Clinics Ltd needs to collect personal information to effectively carry out our everyday business functions and activities and to provide the products and services defined by our business type. Such data is collected from employees, customers, suppliers and clients and includes (but is not limited to), name, address, email address, data of birth, IP address, identification numbers, private and confidential information, sensitive information and bank/credit card details.
In addition, we may be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations, however we are committed to processing all personal information in accordance with the General Data Protection Regulation (GDPR), UK data protection laws and any other relevant the data protection laws and codes of conduct (herein collectively referred to as “the data protection laws”).
We are committed to ensuring that all personal data processed by the Company is done so in accordance with the data protection laws and its principles, along with any associated regulations and/or codes of conduct laid down by the Supervisory Authority and local law. We ensure the safe, secure, ethical and transparent processing of all personal data and have stringent measures to enable data subjects to exercise their rights.
As we employ fewer than 250 staff, we only need to document processing activities that:
The Company has developed policies, procedures, controls and measures to ensure maximum and continued compliance with the data protection laws and principles, including staff training, procedure documents, audit measures and assessments. Ensuring and maintaining the security and confidentiality of personal and/or special category data is one of our top priorities and we are proud to operate a ‘Privacy by Design’ approach, assessing changes and their impact from the start and designing systems and processes to protect personal information at the core of our business.]
The purpose of this policy is to ensure that the Company meets its legal, statutory and regulatory requirements under the data protection laws and to ensure that all personal and special category information is processed compliantly and, in the individuals, best interest.
The data protection laws include provisions that promote accountability and governance and as such the Company has put comprehensive and effective governance measures into place to meet these provisions. The aim of such measures is to ultimately minimise the risk of breaches and uphold the protection of personal data. This policy also serves as a reference document for employees and third-parties on the responsibilities of handling and accessing personal data and data subject requests.
This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.
As the Company is in the UK, we are obligated under the GDPR and the UK’s Data Protection Bill that implements the GDPR into UK law. Our data protection policies and procedures adhere to both the GDPR and Data Protection Bill requirements, as applicable to our business type.
The General Data Protection Regulation (GDPR) (EU)2016/679) was approved by the European Commission in April 2016 and will apply to all EU Member States from 25th May 2018. As a ‘Regulation’ rather than a ‘Directive’, its rules apply directly to Member States, replacing their existing local data protection laws and repealing and replacing Directive 95/46EC and its Member State implementing legislation.
As the Company processes personal information regarding individuals (data subjects), we are obligated under the General Data Protection Regulation (GDPR) to protect such information, and to obtain, use, process, store and destroy it, only in compliance with its rules and principles.
Information protected under the GDPR is known as “personal data” and is defined as: –
“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The Company maintains a Data Asset Register which records all forms of data retained by the company and specifies the lawful purpose for processing this data, how it is safeguarded and how long it is retained. We have also mapped the flow of client data.
The company does not process biometric or genetic data.
In line with Article 5 of the GDPR Gladstones Clinic ensures that personal data shall be: –
The Registered Manager shall act as data controller and in line with Article 5(2) ‘the controller shall be responsible for, and be able to demonstrate, compliance with the data protection laws principles’.
At the core of all personal information processing activities undertaken by the Company, is the assurance and verification that we are complying with Article 6 of the GDPR and our lawfulness of processing obligations. Prior to carrying out any personal data processing activity, we identify and establish the legal basis for doing so and verify these against the regulation requirements to ensure we are using the most appropriate legal basis.
The legal basis is documented in the data asset register. Data is only obtained, processed or stored when we have met the lawfulness of processing requirements, where: –
Gladstones Clinic maintains a risk assessment which is reviewed every twelve months, supported by information provided by our external IT support provider, Impact Solutions. As we do not embark upon major projects or make use of automated decision making, have no special category data, and do not carry out profiling or tracking, we do not consider it necessary to conduct Data Protection Impact Assessments.
The Company has defined procedures for adhering to the retention periods as set out by the relevant laws, contracts and our business requirements, as well as adhering to the GDPR requirement to only hold and process personal information for as long as is necessary. All personal data is disposed of in a way that protects the rights and privacy of data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion) and prioritises the protection of the personal data in all instances.
The Company defines a Privacy Notice as a document, form, webpage or pop-up that is provided to individuals at the time we collect their personal data (or at the earliest possibility where that data is obtained indirectly).
Our Privacy Notice includes the Article 13 (where collected directly from individual) or 14 (where not collected directly) requirements and provides individuals with all the necessary and legal information about how, why and when we process their data, along with their rights and obligations.
We have a link to our Privacy Notice on our website and provide a copy in physical and digital formats upon request. The notice is the customer-facing policy that provides the legal information on how we handle, process and disclose personal information.
As per the data protection law guidelines, we do not use consent as a legal basis for obtaining or processing employee personal information. Our HR policies have been updated to ensure that employees are provided with the appropriate information disclosure and are aware of how we process their data and why.
All employees are provided with our Staff Handbook which informs them of their rights under the data protection laws and how to exercise these rights and are provided with a Privacy Notice specific to the personal information we collect and process about them.
Where a data subject asks us to confirm whether we hold and process personal data concerning him or her and requests access to such data; we provide them with: –
Subject Access Requests (SAR) are passed to the Registered Manager as soon as received and a record of the request is noted. The type of personal data held about the individual is checked against our Data Asset Register to see what format it is held in, who else it has been shared with and any specific timeframes for access.
SARs are always completed within 30 days and are provided free of charge. Where the individual makes the request by electronic means, we provide the information in a commonly used electronic format, unless an alternative format is requested. In response to SAR we are able to offer personal access, correction is necessary and erasure where permissible.
Please refer to our external Subject Access Request Procedures for the guidelines on how an SAR can be made and what steps we take to ensure that access is provided under the data protection laws.
Pursuant to Article 5(d), all data held and processed by the Company is reviewed and verified as being accurate wherever possible and is always kept up to date. Where notified of inaccurate data by a third party, we will rectify the error within 30 days and inform any third party of the rectification if we have disclosed the personal data in question to them. If we identify that any of our data is inaccurate, an incident report is completed and passed to the Registered Manager, who will conduct a full investigation and ensure the inaccuracy is rectified.
Staff who manage and process personal or special category information will be provided with data protection training and will be subject to continuous development support and mentoring to ensure that they are competent and knowledgeable for the role they undertake.
Gladstones Clinic must notify their supervisory authority, the ICO (Information Commissioner’s Office), of a data breach within 72 hours of becoming aware of it.
When a breach is first identified, an incident report form is completed and passed to the Registered Manager. The Registered Manager will complete a full investigation before reporting to the ICO.
By ‘breach,’ we are referring to cyber attacks or any incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
As this definition suggests, data breaches are not always the result of a criminal hacker breaking into your systems. They are just as likely to occur when an employee accidentally sends personal information to the wrong person, loses a laptop containing personal data, or fails to password-protect an online database.
All of these scenarios are subject to the GDPR’s data breach reporting requirements and require you to notify the ICO.
Date | Reviewed by | Changes | Next Review |
---|---|---|---|
1.12.23 | SC | No Changes | Dec 24 |
16.12.24 | CE | No Changes | Dec 25 |
With over 15 years experience our integrated approach to treating Mental Health & Addictions has transformed the lives of hundreds of people by empowering and supporting them to take back control of their lives.
GLADSTONES CLINIC LIMITED
The Wyastone Business Park
Wyastone Leys, Ganarew
Monmouth, NP25 3SR
Gladstones Clinic Cotswolds
Narles Farm, Dursley Road
Cambridge
Gloucestershire
GL2 7AB
Tel: 01453 890184
Gladstones Clinic London
64 Waverley Gardens
London
NW10 7EE
Tel: 020 8964 8516
Gladstones Clinic Bristol
48 St Paul’s Road
Clifton
Bristol
BS8 1LP
Tel: 0117 925 2995
Gladstones Clinic Cornwall
66 Lemon Street
Truro
Cornwall
TR1 2PN
Tel: 0117 925 2995
Copyright 2025 Gladstones Clinic – All Rights Reserved | Privacy Policy | Privacy Settings | Company Number: 07607877