Privacy & Policy

1. Introduction

CES Medical ("we," "us," or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website, use our services, or interact with us in any way.

This policy applies to all personal data processing activities carried out by CES Medical, including our websites, clinics, and all related services. We are registered with the Information Commissioner's Office (ICO) and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller Details

• Company Name: CES Medical Ltd
• Registered Address: Maidstone Innovation Centre Gidds Pond Way, Weavering, Maidstone, England, ME14 5FY
• Contact Email: support@cesmedical.co.uk
• Phone: 01634 963222
• ICO Registration Reference: ZA841791

‍

2. Information We Collect

2.1 Personal Information You Provide

Patient Information:

• Full name, date of birth, and contact details
• NHS number and medical insurance information
• Medical history and current health conditions
• Medication details and allergies
• Emergency contact information
• Payment and billing information

Appointment and Service Information:

• Appointment dates, times, and locations
• Treatment preferences and requirements
• Communication preferences
• Feedback and survey responses

Website and Digital Information:

• Contact form submissions
• Newsletter subscriptions
• Online appointment requests
• Account registration details

2.2 Information We Collect Automatically

Website Usage Data:

• IP address and browser information
• Pages visited and time spent on site
• Referring websites and search terms
• Device type and operating system
• Cookies and similar tracking technologies

Clinical Data:

• Examination results and test outcomes
• Diagnostic images and scans
• Treatment records and surgical notes
• Progress monitoring and follow-up data
• Prescription and medication records

2.3 Information from Third Parties

Healthcare Providers:

• Referral information from GPs and optometrists
• Medical records from other healthcare providers
• Insurance authorization and coverage details
• NHS patient data and referral systems

Professional Networks:

• Information from medical colleagues and consultants
• Laboratory and diagnostic service results
• Specialist consultation reports

‍

3. Legal Basis for Processing

We process your personal data under the following legal bases:

3.1 Consent

• Marketing communications (with your explicit consent)
• Non-essential cookies and tracking
• Photography for marketing purposes (with consent)
• Research participation (with explicit consent)

3.2 Contract Performance

• Providing medical services and treatments
• Processing appointments and bookings
• Billing and payment processing
• Insurance claim processing

3.3 Legal Obligation

• NHS reporting requirements
• Professional regulatory compliance
• Health and safety obligations
• Financial record keeping requirements

3.4 Vital Interests

• Emergency medical treatment
• Safeguarding vulnerable patients
• Public health emergencies

3.5 Legitimate Interests

• Improving our services and patient care
• Internal administration and record keeping
• Fraud prevention and security
• Business development and planning

‍

4. How We Use Your Information

4.1 Primary Healthcare Purposes

Direct Patient Care:

• Providing medical consultations and treatments
• Monitoring your health and treatment progress
• Coordinating care with other healthcare providers
• Emergency medical treatment when necessary

Administrative Purposes:

• Scheduling and managing appointments
• Processing payments and insurance claims
• Maintaining accurate medical records
• Communicating about your care and treatment

4.2 Secondary Purposes

Service Improvement:

• Analyzing treatment outcomes and effectiveness
• Quality assurance and clinical audit
• Staff training and development
• Service planning and development

Communication:

• Sending appointment reminders and confirmations
• Providing test results and treatment updates
• Sharing important health and safety information
• Marketing communications (with your consent)

Legal and Regulatory:

• Complying with professional standards
• Meeting NHS contractual obligations
• Responding to legal requests and investigations
• Maintaining required records and documentation

‍

5. Information Sharing and Disclosure

5.1 Healthcare Partners

NHS and Healthcare Providers:

• Your GP and referring healthcare providers
• NHS systems for continuity of care
• Specialist consultants and healthcare professionals
• Emergency services when medically necessary

Insurance and Payment:

• Private medical insurance companies
• Payment processing services
• Credit reference agencies (for payment plans)

5.2 Service Providers

Technology and Support Services:

• IT support and cloud storage providers
• Website hosting and maintenance services
• Appointment booking and management systems
• Communication and marketing platforms

Professional Services:

• Legal advisors and accountants
• Auditors and regulatory consultants
• Medical equipment and laboratory services

5.3 Legal Requirements

Regulatory Bodies:

• Care Quality Commission (CQC)
• General Medical Council (GMC)
• General Optical Council (GOC)
• Information Commissioner's Office (ICO)

Legal Authorities:

• Courts and tribunals
• Police and law enforcement
• Government agencies and departments
• Professional indemnity insurers

6. Data Security and Protection

6.1 Technical Safeguards

Encryption and Security:

• All data transmitted using SSL/TLS encryption
• Secure storage with industry-standard encryption
• Regular security updates and patches
• Multi-factor authentication for staff access

Access Controls:

• Role-based access to patient information
• Regular access reviews and updates
• Secure user authentication systems
• Audit trails for all data access

6.2 Physical Security

Premises Security:

• Secure access controls to all facilities
• CCTV monitoring and alarm systems
• Locked storage for physical records
• Clean desk and clear screen policies

Equipment Security:

• Encrypted devices and secure disposal
• Regular backup and recovery procedures
• Secure destruction of confidential waste
• Mobile device management policies

6.3 Staff Training and Policies

Data Protection Training:

• Regular staff training on data protection
• Confidentiality agreements for all staff
• Clear policies and procedures
• Incident reporting and response procedures

‍

7. Data Retention

7.1 Medical Records

Adult Patients:

• Medical records retained for 8 years after last treatment
• Mental health records retained for 20 years
• Maternity records retained for 25 years

Pediatric Patients:

• Records retained until 25th birthday or 8 years after death
• Longer retention for certain conditions as required

7.2 Other Information

Administrative Records:

• Appointment records: 2 years
• Financial records: 7 years
• Insurance records: 6 years
• Website data: 2 years (unless longer retention required)

Marketing and Communications:

• Marketing consent records: Until consent withdrawn + 1 year
• Website analytics: 26 months
• CCTV footage: 30 days (unless incident reported)

7.3 Secure Disposal

All personal data is securely destroyed at the end of the retention period using:

• Certified data destruction services
• Secure shredding for physical documents
• Cryptographic erasure for digital data
• Certificate of destruction provided

‍

8. Your Rights Under GDPR

8.1 Right of Access

• Request copies of your personal data
• Information about how we use your data
• Details of who we share your data with
• Response within one month of request

8.2 Right to Rectification

• Correct inaccurate personal data
• Complete incomplete personal data
• Update outdated information
• Notify third parties of corrections where appropriate

8.3 Right to Erasure ("Right to be Forgotten")

• Request deletion of personal data
• Subject to legal and professional obligations
• Medical records may need to be retained for legal reasons
• We will explain if erasure is not possible

8.4 Right to Restrict Processing

• Limit how we use your personal data
• Temporary restriction while disputes are resolved
• Storage only with your consent
• Notification of any restrictions to third parties

8.5 Right to Data Portability

• Receive your data in a structured format
• Transfer data to another healthcare provider
• Applies to data provided with consent or for contract performance
• Technical feasibility considerations apply

8.6 Right to Object

• Object to processing based on legitimate interests
• Object to direct marketing at any time
• Object to processing for research purposes
• We will stop processing unless compelling legitimate grounds exist

8.7 Rights Related to Automated Decision Making

• Right not to be subject to automated decision making
• Right to human intervention in automated processes
• Right to challenge automated decisions
• Currently, we do not use automated decision making for medical decisions

‍

9. Cookies and Website Technologies

9.1 Types of Cookies We Use

Essential Cookies:

• Session management and security
• Website functionality and navigation
• Form submission and error handling
• These cookies are necessary for website operation

Analytics Cookies:

• Google Analytics for website performance
• User behavior and site improvement
• Anonymized data collection
• Opt-out available through browser settings

Marketing Cookies:

• Social media integration
• Advertising and remarketing
• Third-party marketing platforms
• Require explicit consent

9.2 Managing Cookies

Browser Controls:

• Most browsers allow cookie management
• You can block or delete cookies
• Some website functionality may be affected
• Instructions available for all major browsers

Our Cookie Preferences:

• Cookie consent banner on first visit
• Granular control over cookie types
• Easy withdrawal of consent
• Regular review of cookie usage

‍

10. International Data Transfers

10.1 Data Transfer Safeguards

Adequacy Decisions:

• Transfers only to countries with adequate protection
• European Economic Area (EEA) countries
• Countries with UK adequacy decisions

Appropriate Safeguards:

• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules where applicable
• Certification schemes and codes of conduct
• Regular review of transfer mechanisms

10.2 Third Country Transfers

Cloud Services:

• Some data may be stored in secure cloud facilities
• Appropriate safeguards always in place
• Regular security and compliance audits
• Data subject rights remain fully protected

‍

11. Children's Privacy

11.1 Pediatric Patients

Consent Requirements:

• Parental consent required for children under 13
• Competent children (13-16) may consent to some processing
• Fraser guidelines applied for medical treatment
• Best interests always considered

Special Protections:

• Enhanced security for children's data
• Limited data sharing
• Careful consideration of data retention
• Regular review of processing activities

‍

12. Data Breach Procedures

12.1 Incident Response

Detection and Assessment:

• 24/7 monitoring and detection systems
• Immediate assessment of breach severity
• Risk assessment for affected individuals
• Documentation of all incidents

Notification Requirements:

• ICO notification within 72 hours (if high risk)
• Individual notification without undue delay
• Clear communication about the breach
• Advice on protective measures

12.2 Breach Mitigation

Immediate Actions:

• Contain and stop the breach
• Assess and minimize harm
• Preserve evidence for investigation
• Implement additional security measures

Follow-up Actions:

• Full investigation and root cause analysis
• Review and update security measures
• Staff retraining if necessary
• Regular monitoring for further incidents

‍

13. Contact Information and Complaints

13.1 Data Protection Support

Contact Details:

• Email: support@cesmedical.co.uk
• Phone: 01634 963222
• Response Time: Within 5 working days

13.2 Exercising Your Rights

How to Contact Us:

• Email: support@cesmedical.co.uk
• Phone: 01634 963222
• Post: CES Medical Ltd, Maidstone Innovation Centre Gidds Pond Way, Weavering, Maidstone, England, ME14 5FY
• In Person: At any of our clinic locations

What to Include:

• Full name and contact details
• Description of your request
• Proof of identity (for security)
• Specific information you're requesting

13.3 Complaints Process

Internal Complaints:

1. Contact our Data Protection Officer
2. We will acknowledge within 5 working days
3. Investigation completed within 30 days
4. Written response with outcome and actions

External Complaints:

• Information Commissioner's Office (ICO)
• Website: ico.org.uk
• Phone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

‍

14. Changes to This Privacy Policy

14.1 Policy Updates

Regular Reviews:

• Annual review of privacy practices
• Updates for legal or regulatory changes
• Improvements based on feedback
• Technology and service changes

Notification of Changes:

• Website notification of material changes
• Email notification to registered users
• Clear highlighting of significant updates
• Previous versions available on request

14.2 Effective Date

This privacy policy is effective from [Date] and replaces all previous versions. Continued use of our services after changes indicates acceptance of the updated policy.

‍

15. Additional Information

15.1 Professional Standards

Medical Confidentiality:

• GMC guidance on confidentiality
• Professional duty of care
• Ethical obligations to patients
• Balancing competing interests

Regulatory Compliance:

• Care Quality Commission standards
• NHS contractual requirements
• Professional body regulations
• Industry best practices

15.2 Research and Development

Clinical Research:

• Separate consent for research participation
• Anonymization and pseudonymization
• Ethical approval requirements
• Right to withdraw from research

Service Development:

• Anonymized data for service improvement
• Statistical analysis and reporting
• Quality assurance activities
• Patient safety initiatives

‍

16. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, including collection, storage, use, and deletion.

Data Controller: The organization that determines the purposes and means of processing personal data.

Data Processor: An organization that processes personal data on behalf of a data controller.

Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing.

Legitimate Interests: Processing necessary for legitimate interests, except where overridden by individual rights.

‍

This privacy policy demonstrates our commitment to protecting your personal information and complying with all applicable data protection laws. If you have any questions or concerns, please don't hesitate to contact us.

CES Medical is committed to transparency and accountability in all our data processing activities. This policy will be regularly reviewed and updated to ensure continued compliance and best practice.