1. Purpose and Scope

This policy sets out how ABZ PrecisionClinic, operated under Newburn Ltd, collects, processes, stores, shares, and protects personal data in compliance with the UK General Data ProtectionRegulation (UK GDPR) and Data Protection Act 2018.

It applies to all employees, contractors, locums, students, trainees, and third-parties handling identifiable information relating to patients, staff, and business partners. The policy covers both NHS and private healthcare activities, including but not limited to: consultations, triage, menopause and weight-loss services, and dispensing.

‍

2. Policy Statement

ABZ Precision Clinic is committed to maintaining the highest standards of confidentiality and data protection. All data processing must be lawful, fair, transparent, and limited to the purposes for which it was collected. The Clinic will process data in accordance with the principles of UK GDPR, train staff, and report data breaches promptly.

‍

3. Legal Framework

This policy is based on: UK GDPR, DataProtection Act 2018, Human Rights Act 1998, Freedom of Information (Scotland)Act 2002, Caldicott Principles, Common Law Duty of Confidentiality, andHealthcare Improvement Scotland (HIS) regulations.

‍

4. Roles and Responsibilities

Data Controller: Newburn Ltd
All Staff: Must comply and complete annual training.

‍

5. Data Protection Principles

Processing must comply with Article 5 of UK GDPR: lawfulness, fairness and transparency; purpose limitation; data-minimisation; accuracy; storage limitation; integrity and confidentiality; accountability.

‍

6. Lawful Bases for Processing

Processing is based on Articles 6(1)(b)-(e)and Article 9(2)(h) for special category data.

‍

7. Data Subject Rights

Patients, staff, and partners have rights to access, rectification, erasure, restriction, portability, objection, and to avoid automated decision-making. Subject Access Requests (SARs) must be handled within one calendar month.

‍

8. Consent

Consent must be freely given, informed, specific, and recorded. It can be withdrawn at any time.

‍

9. Data Sharing

Data is shared only with legitimate healthcare providers, authorised third parties, or as required by law. No data leaves the UK without safeguards.

‍

10. Data Breach Procedure

Suspected data breaches must be reportedimmediately to the Information Governance Lead and DPO. The DPO will assess and, if necessary, report to the ICO within 72 hours.

‍

11. Data Retention and Disposal

Records are retained per NHS ScotlandRecords Management Code (2023) and securely destroyed when no longer required.

‍

12. Data Protection Impact Assessments (DPIA)

DPIAs are required for new or high-riskprocessing, approved by the DPO and logged in the DPIA Register.

‍

13. Staff Training and Awareness

All staff must complete annual dataprotection training and sign confidentiality agreements. Non-compliance mayresult in disciplinary action.

‍

14. Policy Monitoring and Review

This policy is reviewed annually or soonerif required. Compliance is monitored through audits and DPO oversight.

‍

15. Equality and Accessibility

All communications will be made accessible upon request, ensuring equitable treatment for all data subjects.

‍

16. Document Control

Version 1.0 | 09/11/2025 | Dr R Gupta |