Privacy, Confidentiality and Data Protection Policy

1. Purpose and scope

This policy sets out how Momentum Joint Care Ltd (MJC) collects, stores, uses, shares, and protects personal information.

Momentum Joint Care Ltd is committed to maintaining the privacy, dignity, and confidentiality of all patients and complying with:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • Common Law Duty of Confidentiality

  • Human Rights Act 1998

  • Caldicott Principles

  • Health and Social Care Act 2008 (Regulated Activities) Regulations 2014

This policy applies to all patient, staff, contractor, and governance information held by Momentum Joint Care Ltd.

2. Policy statement

Momentum Joint Care Ltd recognises that confidential information is essential to the provision of safe and effective healthcare.

We will:

  • Process information lawfully, fairly and transparently

  • Collect only information necessary for care and business operations

  • Keep information accurate and up to date

  • Store information securely

  • Restrict access to authorised individuals only

  • Share information appropriately and lawfully

  • Respect patients' rights regarding their personal information

  • Investigate and manage any information governance incidents promptly

3. Information collected

Information held by Momentum Joint Care Ltd may include:

Patient information

Patient information

Patient information

  • Name

  • Date of birth

  • Address

  • Telephone number

  • Email address

  • GP details

  • Relevant medical history

  • Examination findings

  • Consent documentation

  • Treatment records

  • Follow-up communications

Business information

Business information

Business information

  • Governance records

  • Complaints records

  • Incident records

  • Staff training records

  • Recruitment records

4. Legal basis for processing information

4. Legal basis for processing information

Momentum Joint Care Ltd processes personal information under the following lawful bases:

Provision of healthcare

Provision of healthcare

Provision of healthcare

Processing is necessary for:

  • Preventive medicine

  • Medical diagnosis

  • Provision of healthcare treatment

  • Healthcare management

Legal obligations

Legal obligations

Legal obligations

Processing may also be required to:

  • Comply with safeguarding duties

  • Meet regulatory requirements

  • Respond to legal requests

  • Comply with CQC requirements

5. Clinical records

Momentum Joint Care Ltd maintains clinical records using E-clinic, a secure cloud-based practice management and clinical record system.

Clinical records:

  • Are stored electronically

  • Are backed up by the provider

  • Are accessible only to authorised clinicians

  • Are protected by password-controlled access

  • Are retained in accordance with NHS and professional guidance

All clinical records remain the property of Momentum Joint Care Ltd.

6. Confidentiality

All patient information is treated as confidential.

Information will only be accessed by individuals who require it for legitimate clinical or operational purposes.

Momentum Joint Care Ltd follows the Caldicott Principles, including:

  • Justifying the purpose for using confidential information

  • Using only the minimum necessary information

  • Limiting access on a need-to-know basis

  • Ensuring all users understand their responsibilities

7. Information sharing

Patient information may be shared when:

With patient consent

With patient consent

With patient consent

Examples include:

  • Informing the patient's GP following treatment

  • Referral for imaging investigations

  • Referral to physiotherapy services

  • Referral to specialist services

Written or documented consent will normally be obtained before routine information sharing.

Without consent

Without consent

Without consent

Information may be disclosed where legally required, including:

  • Safeguarding concerns

  • Serious risk of harm to the patient or others

  • Court orders

  • Police requests where legally justified

  • Regulatory investigations

Any disclosure without consent will be documented.

8. Data security

Momentum Joint Care Ltd takes reasonable measures to protect information from:

  • Unauthorised access

  • Loss

  • Theft

  • Accidental disclosure

  • Corruption

Security measures include:

  • Password-protected systems

  • Role-based access controls

  • Secure cloud-based clinical records

  • Secure email communication

  • Locked storage for any paper records

  • Secure disposal of confidential waste

No patient-identifiable information is stored on personal devices unless appropriately secured.

9. Data retention

Records are retained in accordance with NHS Records Management Code of Practice and relevant professional guidance.

Where applicable:

  • Adult clinical records are normally retained for a minimum of 8 years after the last episode of care

  • Governance records are retained for at least 10 years

  • Recruitment records are retained in accordance with employment legislation

Records reaching the end of their retention period will be securely destroyed.

10. Patient rights

Patients have the right to:

  • Request access to their personal information

  • Request correction of inaccurate information

  • Request restriction of processing where appropriate

  • Raise concerns regarding data handling

  • Complain to the Information Commissioner's Office (ICO)

Subject Access Requests should be submitted in writing to:

Momentum Joint Care Ltd
Lake House 2 Port Way, Port Solent,
Portsmouth, Hampshire, PO6 4TY

Email: info@momentumjointcare.co.uk

Momentum Joint Care Ltd
Lake House 2 Port Way, Port Solent,
Portsmouth, Hampshire, PO6 4TY

Email: info@momentumjointcare.co.uk

Momentum Joint Care Ltd
Lake House 2 Port Way, Port Solent,
Portsmouth, Hampshire, PO6 4TY

Email: info@momentumjointcare.co.uk

11. Data breaches

Any actual or suspected data breach must be:

  1. Reported immediately to both directors

  2. Recorded in the Risk and Incident Log

  3. Investigated promptly

  4. Managed in accordance with UK GDPR requirements

Where required, breaches will be reported to:

  • The Information Commissioner's Office (ICO)

  • Affected individuals

  • The Care Quality Commission (where appropriate)

Lessons learned will be reviewed through the Clinical Governance process.

12. Training and responsibilities

Dr Horia D Juganaru

Dr Horia D Juganaru

Dr Horia D Juganaru

Nominated Individual

Responsible for:

  • Information governance oversight

  • Data protection compliance

  • Breach management

Mr Rory Ormiston

Mr Rory Ormiston

Mr Rory Ormiston

Registered Manager

Responsible for:

  • Day-to-day implementation of this policy

  • Secure record management

  • Governance monitoring

Both directors complete annual NHS information governance and data security training, with certificates retained within Momentum Joint Care governance records.

13. Review

This policy will be reviewed annually or sooner if:

  • Legislation changes

  • Regulatory guidance changes

  • Significant incidents occur

  • New systems or services are introduced

Approved by:

Approved by:

Approved by:

Dr Horia D Juganaru

Dr Horia D Juganaru

Dr Horia D Juganaru

Nominated Individual

Mr Rory Ormiston

Mr Rory Ormiston

Mr Rory Ormiston

Registered Manager

Date approved: 13/06/2026

Next review due: 13/06/2026

Take the first step
towards relief

Appointments available within days.

No GP referral required.

Take the first step
towards relief

Appointments available within days.

No GP referral required.

Take the first step
towards relief

Appointments available within days.

No GP referral required.