Patient Privacy Notice

Jorja Healthcare Holdings LTD and Subsidiary companies’ patient privacy notice

This Privacy Notice sets out important details about information (“personal data”) that Jorja Healthcare Holdings LTD and the healthcare professionals responsible for your care (including their customer service) will collect and hold about you, how we use your personal data and how we protect it. It also provides information on your rights in relation to your personal data.

This Privacy Notice also outlines how personal data relating to patients referred to healthcare professionals for an assessment in connection with medico-legal proceedings will be collected and used. 

This Privacy Notice applies to anyone who receives healthcare services at Jorja Healthcare Holdings LTD (“JHCH”) and describes how we handle your personal data regardless of the way you interact with us (for example, in person, by email, through our website, by phone and so on). Please take your time to read this Privacy Notice carefully.

In this Privacy Notice we use “we” or “us” or “our” or “Jorja Healthcare Holdings LTD” or “JHCH” to refer to the Jorja Healthcare Holdings LTD company who is using your personal data, and the healthcare professionals who provide your care.

Jorja Healthcare Holdings LTD, Company number 15099083 comprises of the following companies within the group, referred to as “JHCH”:

Primary Care Holdings LTD, Company number 14035963; including trading names (Paddington Spine Clinic,

London Podiatry Clinic, The London Hip Clinic, Private MRI, Living Room Health, ADHD Consultation)

Jorja Emerson Centre LTD, Company number 14610457

Jorja Technologies LTD, Company number 14763100

Jorja Direct LTD, Company number 14969505

As a patient of Jorja Healthcare Holdings LTD, your care may be provided by a healthcare professional who is a medical practitioner including consultants, nurses, and other clinical support professionals. In this Privacy Notice, we refer to all such individuals as “healthcare professionals”. Those healthcare professionals make decisions about what personal data they need to collect about you, and may maintain their own set of medical records in relation to your care. They are a Data Controller of your personal data which they hold within those records, meaning that they must also comply with the data protection legislation and relevant guidance when handling your personal data. This includes using your personal data as set out in more detail below.

Most healthcare professionals are expected to use personal data as set out within this Privacy Notice.  There may be circumstances, however, where healthcare professionals do things slightly differently to Jorja Healthcare Holdings LTD. In those particular circumstances, it is the responsibility of the healthcare professional to ensure that their use of your personal data is lawful, inform you as to exactly how it will be used and provide you with their own Privacy Notice setting this out.

Healthcare professionals who work with Jorja Healthcare Holdings LTD are supported by a medical secretary who will use your personal data only as instructed by your healthcare professional. This could include, for example, preparing letters about your care or liaising with you about appointments. In some circumstances, that medical secretary will be employed by Jorja Healthcare Holdings LTD and they will handle your personal data in accordance with this Privacy Notice. However, in other circumstances the secretary may be employed by the consultant, by other healthcare providers (private or NHS), or be self-employed. This means that your personal data may be handled by third parties at their sites. It is your healthcare professional’s responsibility to inform you if their medical secretary is employed by a third party and the manner in which they will use your personal data (including where they are based). Jorja Healthcare Holdings LTD is not responsible for any use of your personal data by third parties, eg customer service who are not employed by Jorja Healthcare Holdings LTD.

Also, healthcare professionals who work with Jorja Healthcare Holdings LTD (including their customer service) may process your personal data at a non-Jorja Healthcare Holdings LTD site (medical or non-medical).

If you want to find out more about the arrangements between Jorja Healthcare Holdings LTD and your healthcare professional for handling your personal data, or you have any concerns about the way your healthcare professional has handled your personal data, please contact our Data Protection Officer (“DPO”).

The DPO’s contact details can be found at the bottom of this page.

We are likely to communicate with you by telephone, SMS, email, and/or post. If we call the telephone number(s) which you have provided, and the call directs to a voicemail and/or answering service, we may leave a voice message on your voicemail and/or answering service.

In particular:

  • to provide you with timely updates and reminders about your care, we may send you SMS messages and/or email
  • to provide you with your medical information (including test results and other clinical updates) and/or invoicing information, we may communicate with you by encrypted email
  • the first time we send you any important encrypted email eg one that we are not also sending by post or which requires you to take an action, we will try to contact you separately to ensure that you are able to access that encrypted email
  • if we have your mobile number or your email address we may use them to ask you to complete patient surveys which are for the purpose of improving our service or monitoring outcomes and are not a form of marketing

We may contact you to ask you to participate in patient surveys regarding your care.  We will usually send these surveys to you by email or SMS message. These surveys are not a form of marketing and they do not try to sell you any further products or services. They are solely to get your feedback on your experience, to improve the quality and safety of the healthcare services we offer to future patients. It is entirely up to you whether you participate in the surveys and you can unsubscribe from receiving further survey requests. We use the responses you provide to make improvements to our services. You may also opt in to receiving a call back to discuss your responses.

In addition, we may also contact you to invite you to participate in on-line surveys regarding the clinical outcomes of your care called Patient Reported Outcome Measures (“PROMs”). Again, these are not a form of marketing. If you are a private patient your PROMs results are shared with PHIN (see the next section), and if you are an NHS patient your PROMs results are shared with NHS England. We may send you an initial invitation asking you to participate before you receive your care, by post, SMS, email or in person when you attend the hospital for your care. If you choose to complete a PROMs survey you will also receive subsequent surveys after your care to help establish the benefit you have gained from treatment.

We use (or “process”) your personal data for a number of different purposes but in all cases, we must have a legal basis for doing so. When we use “special category of personal data” such as personal data relating to a person’s health, (see section on Special categories of personal data above) we must have a specific additional legal basis to do so.

Generally, we will rely on the following legal bases:

Contract:

  • we need to use your personal data to take steps so that you can enter into a contract with us and/or a

healthcare professional to provide your care

  • we need to use your personal data to provide your care in accordance with a contract between you and Jorja Healthcare Holdings LTD and/or healthcare professional. We will rely on this for activities such as supporting your care and other benefits, supporting your doctor, nurse, carer or other healthcare professional and providing other services to you; and/or
  • we need to use your personal data to assist your investigation of potential medical negligence against another healthcare provider by registering you on Jorja Healthcare Holdings LTD systems. The medico-legal assessment may be performed by one of our healthcare professionals, or it may simply be a diagnostic test performed by us.
  • Legitimate interests: we need to use your personal data for our legitimate business interest to process your personal data and such interest does not cause harm to you. We will rely on this for activities such as quality assurance, maintaining our business records, developing and improving our products and services and helping with medical research.
  • Legal obligation: we need to use your personal data to comply with our legal or regulatory obligations.
  • Legal claims: we need to use your special category personal data to establish, exercise or defend our legal claims.
  • Consent: you have given us your consent to use your personal data for this purpose.

Generally, we will only ask for your consent to use your personal data if there is no other legal basis to use it. If we ask for your consent, we will always aim to be clear and transparent about why we need your consent and what we are asking it for. Where we are relying on consent to use your personal data you have the right to withdraw your consent at any time by contacting our DPO (contact details can be found at the bottom of this document) and we will stop using your personal data for that purpose.

You will find details of the legal bases for each of our purposes below.

Purpose 1: To set you up as a patient on Jorja Healthcare Holdings LTD’s systems

We have to carry out checks including carrying out fraud, credit, anti-money laundering and other regulatory checks for you to become a patient (which includes when you have a medico-legal assessment, or a diagnostic test). We cannot perform these checks without using your personal data.

Legal bases for using your personal data

Contract: to take steps so that you can enter into a contract with us for the delivery of your care, and/or in connection with a contract for a healthcare professional to carry out a medico-legal assessment, or a contract for Jorja Healthcare Holdings LTD to perform a diagnostic test.

Additional legal bases for using your special category personal data Substantial public interest: for reasons of substantial public interest; and Legal claims: to establish, exercise or defend our legal claims.

Purpose 2: To provide your care and related services

Clearly, the reason you come to us is to receive care, and so we have to use your personal data for that.

Legal bases for using your personal data Contract:

  • to provide your care and related services; and
  • to fulfil our contract with you for the delivery of your care.
Additional legal bases for using your special category personal data

Health or social care: to provide your care; and

Vital interests: to protect your vital interests where you are physically or legally incapable of giving consent, for example in an emergency if you are incapacitated.

Purpose 3: To settle your account

We will use your personal data to ensure that your account and billing is fully accurate and up to date

Legal bases for using your personal data Contract:

  • to provide your care and other related services; and
  • to fulfil our contract with you for the delivery of your care; and

Legitimate interests: for our legitimate business interest to ensure that we are paid for providing your care which does not overly prejudice you.

Additional legal bases for using your special category personal data

Health or social care: to provide your care; and

Legal claims: establish, exercise or defend our legal claims.

Purpose 4: For internal clinical audit, National Clinical Audit, medical research purposes, and product testing and improvement
Internal clinical audit

There may be a clinical audit of health records, including medical information, carried out by Jorja Healthcare Holdings LTD to assess care standards and identify any improvements we could make, or as required by law.

Legal bases for using your personal data

Legal obligation: to comply with our legal or regulatory obligations;

OR

Legitimate interests: for our legitimate business interest in making improvements and we have put appropriate safeguards in place to protect your privacy so that this use does not overly prejudice you.

Additional legal bases for using your special category personal data

Substantial public interest: for reasons of substantial public interest; and

Health or social care: for the management of health or social care systems and services.

National Clinical Audits

We may share your personal data with National Clinical Audits, Clinical Outcome Review Programmes and other national quality improvement projects. We may also share your personal data with other audit programmes set up by professional associations that we think we should participate in.

Legal bases for using your personal data

Legal obligation: to comply with our legal or regulatory obligations;

OR

Legitimate interest: for our legitimate business interest in:

  • helping with medical research; and
  • making improvements,

and we have put appropriate safeguards in place to protect your privacy so that this use does not overly prejudice you.

OR

Consent: You have given us or the organisation collecting your personal data your consent to use your personal data for this purpose.

Additional legal bases for using your special category personal data

Substantial public interest: for reasons of public interest for statistical and scientific research purposes.

Medical research

We also participate in medical research and may share personal data with ethically approved research projects. 

Any published data from these programmes will be in an anonymised, statistical format.

Legal bases for using your personal data

Legitimate interest: for our legitimate business interest in:

  • helping with medical research; and
  • making improvements,

and we have put appropriate safeguards in place to protect your privacy so that this use does not overly prejudice you.

OR

Consent: You have given us or the organisation collecting your personal data your consent to use your personal data for this purpose.

Additional legal bases for using your special category personal data

Substantial public interest: for reasons of public interest for statistical and scientific research purposes.

Product testing and improvement

We may need to use your medical records to test the quality and effectiveness of new systems that we implement to improve the care and treatment we provide or assist in the management of our clinical services.

Legal bases for using your personal data

Legitimate interests: for our legitimate business interest in making improvements in our systems and services which have been appropriately assessed and where we have put safeguards in place to protect your privacy so that this use does prejudice your privacy rights.

Purpose 5: Disclose information to Private Health Care Information Network (“PHIN”)

Under the Competition and Markets Authority Private Healthcare Market Investigation Order 2014, we are required to provide PHIN with personal data related to your care, including your NHS Number and postcode, the nature of your procedure, the length of your stay in hospital, whether there were any complications, your recovery and improvement post-treatment, and any feedback you gave us as part of the PROMS survey.

PHIN is an organisation who will monitor outcomes of patients who receive private healthcare services, as part of a UK-wide programme to improve the public’s access to information on the quality and outcome of private healthcare.

Information about how PHIN uses personal data, including its Privacy Notice, is available at www.phin.org.uk.

Legal bases for using your personal data

Legal obligation: to comply with our legal or regulatory obligations; and

Legitimate interests: for our legitimate business interest to ensure that the quality of and outcomes of patients’ private healthcare is monitored, and where this does not overly prejudice you.

Additional legal bases for using your special category personal data

Substantial public interest: for reasons of substantial public interest; and

Health or social care: for the management of health or social care systems and services.

Purpose 6: Contacting you and resolving queries or complaints

From time to time, patients may raise queries, or even complaints, with us and we take those communications very seriously. We will need to use your personal data to resolve such matters fully and properly.

Legal bases for using your personal data

Contract: to provide your care and other related services; and

Legitimate interests: for our legitimate business interest to ensure our patients’ queries and complaints are answered, which does not overly prejudice you.

Additional legal bases for using your special category personal data

Health or social care: to provide your care; and

Legal claims: to establish, exercise or defend our legal claims.

Purpose 7: Liaising with other healthcare professionals about your care and updating others (such as your emergency contact)

We may need to share your personal data with the individuals that you ask us to update about your care. 

Also, other healthcare professionals or organisations may need to know about your care for them to provide you with safe and effective healthcare services, and so we may need to share your personal data with them.

Details on these professionals or organisations are set out in the Third parties section below.

Legal bases for using your personal data

Contract: to provide your care and other related services; and

Legitimate interests: for our legitimate business interest in ensuring that other healthcare professionals who are routinely involved in your healthcare services have a full picture of these services.

Additional legal bases for using your special category personal data

Health or social care: to provide your care

Substantial public interest: for reasons of substantial public interest; and Legal claims: to establish, exercise or defend our legal claims.

Purpose 8: Investigating and responding to concerns, complaints or claims, complying with our legal or regulatory obligations and defending or exercising our legal rights

We are subject to a wide range of legal and regulatory responsibilities which we cannot list fully here and we may be required by law or by regulators to provide personal data.

We may also have to consider and/or discuss with appropriate third parties your care in the context of concerns over a healthcare professional’s performance or clinical competence.

If we and our healthcare professionals are the subject of legal actions or complaints, then we need to access your personal data to fully investigate and respond to those actions.

Legal bases for using your personal data

Legal obligation: to comply with our legal or regulatory obligations; and

Legitimate interests: for our legitimate interests in ensuring that you, and others, receive safe care and treatment.

Additional legal bases for using your special category personal data

Health or social care: for others to provide informed healthcare services to you;

Health or social care: to provide your care or treatment or the management of health or social care systems; and

Legal claims: to establish, exercise or defend our legal claims.

Purpose 9: Providing improved quality, training and security (for example, recording or monitoring phone calls to our contact numbers) and conducting pre and post treatment surveys

We are a quality-conscious organisation, always looking to learn from our patients’ experiences to improve our services for the purposes of patient safety and quality.  We will use your personal data to identify where we can make these improvements, such as by reviewing recorded phone calls to assess whether we can learn any lessons and contacting you to hear your valuable thoughts on the Jorja Healthcare Holdings LTD experience.

Legal bases for using your personal data

Legitimate interests: for our legitimate business interest to improve our quality, training and security which does not overly prejudice you.

Additional legal bases for using your special category personal data

Health or social care: to manage the healthcare services we deliver, including carrying out surveys (which are not a form of marketing) in order to identify and carry out any necessary improvements.

Purpose 10: Managing our business: retaining patient records, reviewing CCTV images, maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (eg tax, financial, legal or public relations advice)

We do not need to use your special categories of personal data for this.

Legal bases for using your personal data

Legal obligation: to comply with our legal or regulatory obligations; and

Legitimate interests: for our legitimate business interest in managing our business operations, which does not overly prejudice you.

Additional legal bases for using your special category personal data Not applicable.

Purpose 11: Advising you of other services offered by Jorja Healthcare Holdings LTD and selected third party partners (“Marketing”)

As a business, we need to carry out marketing but we will only send you information about products or services which may be of interest to you and only where you have specifically given us your consent to do so. 

We may also provide your personal data to market research agencies to collect your feedback which will be used to develop better products and services for you.

We do not need to use your special categories of personal data for this.

If you no longer wish to receive marketing emails sent by us, you can click on the “unsubscribe” link that appears in all of our emails, otherwise you can always contact our DPO (contact details can be found at the bottom of this document.) to update your contact preferences.

If you no longer wish to receive non-website based marketing information or for us to provide your personal data to market research agencies, please also contact our DPO.

Legal bases for using your personal data

Legitimate interests: We need to use your personal data for our legitimate business interest in marketing our

services to our existing patients to increase sales, which does not overly prejudice you; and Consent: You have given us your consent to use your personal data for this purpose.

Additional legal bases for using your special category personal data Not applicable.

If we relied on legitimate interests in using your personal data, you can object to us using your personal data for this purpose, and we may have to stop doing so. If you would like to object then please contact our DPO (contact details can be found at the bottom of this page).

Within the Jorja Healthcare Holdings LTD group of companies

We share your personal data with other companies in the Jorja Healthcare Holdings LTD group.

Third parties:

We may share your personal data with the third parties listed below:

  • a doctor, nurse, carer or any other healthcare professional involved in your care
  • other members of support staff involved in your care, like customer service, receptionists and porters
  • anyone that you ask us to communicate with or provide as an emergency contact, for example your next of kin or carer
  • NHS organisations, including NHS Resolution, NHS England, Department of Health Other private sector healthcare providers
  • your GP
  • your dentist
  • your healthcare professional (including their customer service)
  • third parties who assist in the administration of your care, or may be responsible for paying for the cost of your care, such as insurance companies
  • third parties acting on your behalf in connection with legal proceedings (including potential medicolegal claims)
  • Private Healthcare Information Network (PHIN)
  • national and other professional research/audit programmes and registries
  • Government bodies, including the Ministry of Defence, the Home Office and HMRC
  • our regulators, like the Care Quality Commission, Health Inspectorate Wales and Healthcare Improvement Scotland
  • the police and other third parties for the prevention or detection of crime
  • our insurers
  • debt collection agencies
  • credit referencing agencies
  • our third party services providers such as IT suppliers, actuaries, auditors, lawyers, marketing agencies, document management providers and tax advisers; and
  • selected third parties in connection with any sale, transfer or disposal our business. If you are a patient of a business that has been taken over by us, we will receive your personal information as part of the sale process. Where this happens, you will be informed of this prior to the transfer of data.

If we sell part of our business, then we will need to share your data with the new owner. The transfer of data (this could include your personal data – name, address, contact details, etc along with health data ie appointment bookings, medical notes and medical imaging) will be managed in secure manner, and minimises the disruption to current or previous patients and to ensure that Jorja Healthcare Holdings LTD, and the new owner, are able to fully comply with our legal obligations regarding the retention medical records and to ensure continuity of care.

If we share your personal data, we will make sure appropriate protection is in place to protect it in line with data protection laws.

We are committed to looking after your personal data and have implemented appropriate physical, technical, and organisational security measures designed to protect against accidental loss and unauthorised access, use, alteration, or disclosure.

In doing so, we comply with UK data protection law, including the Data Protection Act 2018, the EU General Data Protection Regulation and all applicable medical confidentiality guidelines issued by professional bodies including, but not limited to, the General Medical Council and the Nursing and Midwifery Council.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know it. They will only use your personal data on our instructions and they are subject to a duty of confidentiality.

We will only hold your personal data for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations. Jorja Healthcare Holdings LTD generally keeps personal data about your care for 30 years after you have finished your treatment. If your healthcare professional employs a different retention policy, then it is their responsibility to inform you of this.

If you would like further information regarding the periods for which your personal data will be held, please contact our DPO (contact details can be found at the bottom of this page).

We (or third parties acting on our behalf) may use or hold personal data that we collect about you in countries outside the United Kingdom or the European Economic Area) (“UK/EEA“). Where we transfer your personal data outside of the UK/EEA we take steps to ensure that your personal data is protected.

We will only transfer your personal data outside of the UK/EEA for the purposes set out in this Privacy Notice and to the extent that it is relevant and necessary.

If you would like further information regarding the steps we take to safeguard your personal data, please contact our DPO (contact details can be found at the bottom of this page).

Healthcare professionals, and/or their customer service, may use IT services (such as email providers, cloud based storage providers, practice management software and clinical devices) which rely upon, or are backed up by, servers which are based outside of the UK/EEA. If such services are used by healthcare professionals, and/or their customer service, then your personal data will be transferred outside of the UK/EEA. It is that healthcare professional’s responsibility to ensure your personal data is transferred lawfully and securely. This is not a matter for Jorja Healthcare Holdings LTD.

General Information

You have certain rights in relation to your personal data that we hold about you. These include rights to know what personal data we hold about you and how it is used. We will use and hold your personal data in accordance with our obligations and these rights.

You may ask to exercise these rights at any time by contacting our DPO (contact details can be found at the bottom of this page). You will not usually be charged for exercising your rights.

These rights do not always apply in all cases, and we will let you know how we will be able to meet your request. If we cannot meet your request, we will explain why.

If you make a large number of requests or it is not reasonable for us to meet a request then we do not have to respond.  Alternatively, we can charge for responding.

The right to access your personal data

You have the right to request details and a copy of the personal data we hold about you and details about how we use it. We must confirm whether we have personal data about you, and we also need to provide you with a copy of your personal data.

We will usually provide you with your personal data in writing, unless you request otherwise. If you have made the request electronically (eg by email) the personal data will be provided to you electronically where possible.

In some cases we may not be able to fully comply with your request, for example if your request involves another person’s personal data and it would not be fair to that person to provide it to you.

The right to rectification

You have the right to have inaccurate personal data about you corrected or removed.

The right to erasure (“right to be forgotten”)

You have the right to request that we delete certain personal data we hold about you. However, there are exceptions to this right. For example, we can refuse to delete your personal data if we need to keep for tasks which are in the public interest, or for establishing, exercising or defending legal claims.

The right to restrict processing

You have the right to ask us to restrict our use your personal data. We do not have to comply with all requests to restrict our use of your personal data. For example, if we need to use it for tasks which are in the public interest or for establishing, exercising or defending legal claims.

The right to data portability

You have the right to ask us to transfer your personal data to you or to someone else in a format that can be read by computer.

The right to object to marketing

You have the right to ask us to stop sending you marketing messages at any time and we must comply with your request.

The right not to be subject to automatic decisions

You have the right to not be subject to automatic decisions (ie decisions that are made about you by computer without any human input) in relation to your care or other processes that have a legal or similarly significant effect on you.

Please see the section on Automated decision making for details about when we may make automatic decisions about you.

If you have been subject to an automated decision and do not agree with the outcome, you can challenge the decision by contacting our DPO (contact details can be found at the bottom of this page).

The right to withdraw consent

You have the right to withdraw any consent you have given us to use your personal data.

The right to object to other uses of your personal data

You have the right to object to us using your personal data in a particular way (such as sharing it with third parties), and we must stop using it in that way unless specific exceptions apply. This includes, for example, if it is necessary to defend a legal claim brought against us, or it is otherwise necessary for the purposes of your ongoing healthcare services.

The Information Commissioner’s Office (“ICO”)

You can complain to the ICO if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations.

More information can be found on the ICO website: https://ico.org.uk/

Making a complaint will not affect any other legal rights or remedies that you have.

We may from time to time include on our websites links to and from the websites of other organisations. If you

follow a link to any of these websites, please note that these websites have their own privacy policies and that

we do not accept any responsibility or liability for these policies. Please check these policies and notices before

you submit any personal data to these websites.

We have a DPO who is responsible for ensuring the Jorja Healthcare Holdings LTD group of companies in the

section About us comply with their data protection obligations.

Our DPO can be contacted by:

• Telephone: 0330 580 1153

Email: hello@jorjahealthcaregroup.com

• Post: Data Protection Officer, 10 Eastbourne Terrace, London, W2 6LG

If you have any questions about this Privacy Notice or would like to exercise any of your rights set out in this

Privacy Notice, please contact our DPO.

For patients requesting data in addition to medical records

Under the General Data Protection Regulations (GDPR) you have the right to access your personal data as you

are entitled to be informed of any information Jorja Healthcare Holdings LTD is processing about you, andV3.0

Last update: 11th April 2024

subject to certain exemptions and as far as reasonably practical to receive a copy of that information. Such

requests to Jorja Healthcare Holdings LTD Healthcare must be made in writing.

Jorja Healthcare Holdings LTD is not permitted to disclose any information which identifies another person

unless that person agrees or if it is reasonable to override refusal of consent. If you think that the information

you want identifies someone else, you may wish to obtain written permission for the release of their

information and enclose it with your completed application form.

If you are requesting the personal information of another individual person on their behalf, you will be

required to provide us with satisfactory proof that you have the individual’s authority to act on their behalf.

Email: hello@jorjahealthcaregroup.com

• Post: Data Protection Officer, 10 Eastbourne Terrace, London, W2 6LG

The GDPR requires that personal data should not be held for longer than is necessary for the purpose for which it is being processed. However, it is a fundamental requirement that all of Jorja Healthcare Holdings LTD records are retained for a minimum period of time for legal, operational, research and / or safety reasons. The length of time for retaining records will depend on the type of record. Below you will find a summary of the various types of data we hold about you and how long each will be kept.  

Jorja Healthcare Holdings LTD retention policy for most medical records is 30 years. This period has been determined with patient safety in mind. There is also the necessity in healthcare to occasionally need to undertake patient recalls where it is generally necessary to have access to the original patient medical record to determine, for instance, what was discussed with the patient, any products implanted or used to treat the patient or identify members of staff involved in the patient’s care.  Some non-medical records will also need to be held for this time period as they support the medical records by providing context and further operational information. These are discussed in the next section.  

 

 

Medical Records  

 

 

Type of record  

Start of Retention Period  

Minimum Retention Period  

Comments  

 Medical records

Conclusion of treatment  

Retain for 30 years  

  

  

Non-Medical Records  

The following list explains what other personal data Spire may hold about you and how long that data will be held for.   

Type of record  

Start of Retention Period  

Minimum Retention Period  

Comments  

CCTV (many of our Clinics have CCTV installed in communal areas such as car parks, receptions and waiting

Creation  

 

3 days (up to a maximum of 30 days)  

Recorded images which are downloaded

 

should only be retained long enough for the incident to be investigated.   

 

Type of Record  

Start of Retention Period  

Minimum Retention Period  

Comments  

Patient Portal, Semble, Outcomes Tool (this is our patient administration

software)  

Date of last admission

 30 years  

Retention period of 30 years in line with medical record retention.  

Credit Card details where there is no outstanding debt on patient’s account  

Receipt of credit card

 

details  

 

6 months  

For instance, when credit card details are taken at registration.  

Credit Card details where there is outstanding debt on patient’s account  

 Discharge of debt  

6 months  

  

Debtor records cleared  

Close of financial year in which debt is

cleared  

6 years  

  

Debtor records not cleared  

  

Retain until cleared  

  

Invoices to patients regarding their treatment  

Close of financial year to which the invoice

relates  

 

 6 years  

  

Booking tool for managing patient bookings  

Creation  

6 years  

  

Patient enquiries – Email   

Receipt  

6 years  

  

Patient surveys  

Receipt  

6 years  

Applies to surveys where patients have consented for their data to be linked back to their patient record.  

Prospective patient data for marketing purposes (this data is most commonly collected at events)  

Receipt  

 

6 years  

  

Complaints case file    

Closure of incident  

30 years  

Retention period of 30 years in line with medical record retention.  

Fraud case files  

Case closure  

6 years  

  

Litigation records  

Case closure  

30 years  

Retention period of 30 years in line with medical record retention.  

Subject Access Requests (SAR) and disclosure

correspondence  

Closure of SAR  

3 Years  

  

Subject access requests where there has been a subsequent appeal  

Closure of appeal  

6 Years  

  

Accident forms  

Creation  

10 years  

  

Telephone call recordings  

 

 

Creation  

1 year maximum

Calls are muted when financial information is taken over the phone.       Downloaded calls should only be retained long enough for the purpose of their use to be concluded.