Confidentuality Policy

1. Introduction

At HAUS OF ÄSTHETIK, we are committed to ensuring the highest standards of confidentiality for all patient, Staff, and business-related information. Protecting personal data, medical records, and clinic operational details is fundamental to our ethical, professional, and legal responsibilities.

This policy ensures compliance with:

• UK General Data Protection Regulation (UK GDPR) 2018

• Data Protection Act 2018

• Health and Social Care Act 2012

• Care Quality Commission (CQC) Standards (if applicable)

• General Medical Council (GMC) and Nursing & Midwifery Council (NMC) Guidelines

• Information Commissioner’s Office (ICO) Best Practices

Failure to comply with this policy may result in disciplinary action, regulatory investigations, or legal consequences.

 

2. Scope

This policy applies to:

• All employees, freelance practitioners, contractors, and external service providers working at HAUS OF ÄSTHETIK.

• All patient, Staff, and business data stored, shared, or processed within the clinic.

• All forms of confidential information, including:

• Electronic records (patient files, consent forms, communications, financial data)

• Encrypted CCTV footage stored off-site in Netatmo servers for staff and patient safety

• Verbal discussions (consultations, team meetings, phone calls)

 

3. Legal & Regulatory Compliance

All clinic personnel must ensure that they handle confidential information in compliance with the following:

• UK General Data Protection Regulation (UK GDPR) 2018

• Protects personal data processing, access rights, and consent-based data sharing.

• Data Protection Act 2018

• Safeguards personal information and ensures lawful, fair, and secure data processing.

• Health and Social Care Act 2012 (if CQC registered)

• Ensures compliance with patient confidentiality standards in healthcare.

• Human Rights Act 1998 (Article 8 – Right to Privacy)

• Provides legal protection for individual privacy.

• Common Law Duty of Confidentiality

•  Patient information is required to be kept confidential and only disclosed when necessary, with consent.

 

4. Principles of Confidentiality

All employees, freelancers, and third-party providers at HAUS OF ÄSTHETIK must adhere to the following key principles when handling confidential information:

🔒 Confidentiality Is Mandatory

• Staff must ensure all patient and business information remains private.

🛑 Access Information on a Need-to-Know Basis

• Data should only be accessed for legitimate clinical or operational purposes.

📁 Electronic Storage & Security

• All patient records are securely stored electronically on the Insync Faces Consent platform

🌐 https://facesconsent.com

• Faces Consent is GDPR compliant and ensures encryption of stored data.

 

📤 Consent Before Sharing Information

• Patient records must not be disclosed to third parties without written consent.

🚫 No Unauthorised Disclosure

• Staff must not discuss patient cases outside of the clinic or in public spaces.

 

💻 Data Protection Compliance

• Staff must follow GDPR and ICO-recommended practices for electronic data handling.

 

5. Electronic Patient Record Storage & Security

5.1 Patient Records on Insync Faces Consent

   • All patient records, consent forms, and treatment histories are securely stored on the Faces Consent platform.

   • Faces Consent complies with UK GDPR and ensures secure encryption for data storage.

   • Patient records are backed up to ensure no data loss.

   • Access to Faces Consent is restricted to authorised clinical personnel only via secure login authentication.

 

🔹 Faces Consent Security Features:

✔ Encrypted database storage for all patient records.

✔ Secure Access with authentication controls.

✔ Audit logs to track access history and prevent unauthorised entry.

🌐 More information on security: https://facesconsent.com

 

5.2 Encrypted CCTV Storage for Patient & Staff Safety

• All clinic CCTV footage is encrypted and securely stored off-site in Netatmo servers.

• Only authorised personnel can access CCTV footage for security and safety purposes.

• CCTV footage is retained in line with ICO recommendations and deleted after 7 days unless required for legal purposes.

 

6. Staff Confidentiality & Data Protection

• Employee records (HR files, contracts, payroll) are stored electronically on a secure internal server.

• Access to staff files is restricted to HR and management personnel only.

• Clinic business operations, supplier details, and financial data are confidential and must not be shared without authorisation.

 

7. Handling & Sharing Confidential Information

7.1 Patient Information & Consent

Explicit written consent must be obtained before sharing patient data with third parties.

Patients have the right to:

   • Request access to their medical records.

   • Request correction or deletion of incorrect information.

   • Withdraw consent for data processing.

 

7.2 Sharing Information with Third Parties

Patient data can only be shared with:

• Other medical professionals involved in the patient’s care.

• Regulatory bodies (CQC, MHRA) where legally required.

• Insurers or legal representatives, but only with explicit patient consent.

 

• Under no circumstances should patient information be shared for marketing or advertising without explicit consent.

 

8. Confidentiality Breaches & Incident Reporting

8.1 Identifying a Confidentiality Breach

A breach occurs when:

   • Unauthorised Access to electronic records (Faces Consent, payroll, HR data).

   • Confidential data is accidentally disclosed or sent to the wrong recipient.

   • CCTV footage is accessed without authorisation.

   • Patient or employee data is lost, stolen, or misused.

 

8.2 Reporting a Breach

• All breaches must be reported immediately to the Clinic Manager or Data Protection Officer (DPO).

• An incident report must be completed, detailing:

• Date and nature of the breach.

• Individuals affected.

• Steps taken to contain the breach.

• If the breach is serious, it must be reported to the ICO within 72 hours.

 

🔹 ICO Contact for Data Breaches:

📞 Helpline: 0303 123 1113

🌐 Website: www.ico.org.uk

 

9. Social Media & Marketing Confidentiality

📲 No patient details should be discussed or shared on social media.

📷 Before/after images require signed patient consent via Faces Consent.

📧 Staff must ensure patient details are never shared via unsecured online platforms.

 

10. Training & Compliance

• All Staff must complete mandatory confidentiality and data protection training.

• Annual refresher training on GDPR, patient data protection, and social media privacy.

• Compliance audits will be conducted to ensure policy adherence.

 

11. Policy Review & Amendments

This policy will be reviewed every two years or sooner if:

   • New GDPR or ICO regulations are introduced.

   • A serious data breach occurs.

   • The clinic updates its data storage or security systems.