Privacy, Confidentiality and Data Protection Policy
1. Purpose and scope
This policy sets out how Momentum Joint Care Ltd (MJC) collects, stores, uses, shares, and protects personal information.
Momentum Joint Care Ltd is committed to maintaining the privacy, dignity, and confidentiality of all patients and complying with:
UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Common Law Duty of Confidentiality
Human Rights Act 1998
Caldicott Principles
Health and Social Care Act 2008 (Regulated Activities) Regulations 2014
This policy applies to all patient, staff, contractor, and governance information held by Momentum Joint Care Ltd.
2. Policy statement
Momentum Joint Care Ltd recognises that confidential information is essential to the provision of safe and effective healthcare.
We will:
Process information lawfully, fairly and transparently
Collect only information necessary for care and business operations
Keep information accurate and up to date
Store information securely
Restrict access to authorised individuals only
Share information appropriately and lawfully
Respect patients' rights regarding their personal information
Investigate and manage any information governance incidents promptly
3. Information collected
Information held by Momentum Joint Care Ltd may include:
Name
Date of birth
Address
Telephone number
Email address
GP details
Relevant medical history
Examination findings
Consent documentation
Treatment records
Follow-up communications
Governance records
Complaints records
Incident records
Staff training records
Recruitment records
Momentum Joint Care Ltd processes personal information under the following lawful bases:
Processing is necessary for:
Preventive medicine
Medical diagnosis
Provision of healthcare treatment
Healthcare management
Processing may also be required to:
Comply with safeguarding duties
Meet regulatory requirements
Respond to legal requests
Comply with CQC requirements
5. Clinical records
Momentum Joint Care Ltd maintains clinical records using E-clinic, a secure cloud-based practice management and clinical record system.
Clinical records:
Are stored electronically
Are backed up by the provider
Are accessible only to authorised clinicians
Are protected by password-controlled access
Are retained in accordance with NHS and professional guidance
All clinical records remain the property of Momentum Joint Care Ltd.
6. Confidentiality
All patient information is treated as confidential.
Information will only be accessed by individuals who require it for legitimate clinical or operational purposes.
Momentum Joint Care Ltd follows the Caldicott Principles, including:
Justifying the purpose for using confidential information
Using only the minimum necessary information
Limiting access on a need-to-know basis
Ensuring all users understand their responsibilities
7. Information sharing
Patient information may be shared when:
Examples include:
Informing the patient's GP following treatment
Referral for imaging investigations
Referral to physiotherapy services
Referral to specialist services
Written or documented consent will normally be obtained before routine information sharing.
Information may be disclosed where legally required, including:
Safeguarding concerns
Serious risk of harm to the patient or others
Court orders
Police requests where legally justified
Regulatory investigations
Any disclosure without consent will be documented.
8. Data security
Momentum Joint Care Ltd takes reasonable measures to protect information from:
Unauthorised access
Loss
Theft
Accidental disclosure
Corruption
Security measures include:
Password-protected systems
Role-based access controls
Secure cloud-based clinical records
Secure email communication
Locked storage for any paper records
Secure disposal of confidential waste
No patient-identifiable information is stored on personal devices unless appropriately secured.
9. Data retention
Records are retained in accordance with NHS Records Management Code of Practice and relevant professional guidance.
Where applicable:
Adult clinical records are normally retained for a minimum of 8 years after the last episode of care
Governance records are retained for at least 10 years
Recruitment records are retained in accordance with employment legislation
Records reaching the end of their retention period will be securely destroyed.
10. Patient rights
Patients have the right to:
Request access to their personal information
Request correction of inaccurate information
Request restriction of processing where appropriate
Raise concerns regarding data handling
Complain to the Information Commissioner's Office (ICO)
Subject Access Requests should be submitted in writing to:
11. Data breaches
Any actual or suspected data breach must be:
Reported immediately to both directors
Recorded in the Risk and Incident Log
Investigated promptly
Managed in accordance with UK GDPR requirements
Where required, breaches will be reported to:
The Information Commissioner's Office (ICO)
Affected individuals
The Care Quality Commission (where appropriate)
Lessons learned will be reviewed through the Clinical Governance process.
12. Training and responsibilities
Nominated Individual
Responsible for:
Information governance oversight
Data protection compliance
Breach management
Registered Manager
Responsible for:
Day-to-day implementation of this policy
Secure record management
Governance monitoring
Both directors complete annual NHS information governance and data security training, with certificates retained within Momentum Joint Care governance records.
13. Review
This policy will be reviewed annually or sooner if:
Legislation changes
Regulatory guidance changes
Significant incidents occur
New systems or services are introduced
Nominated Individual
Registered Manager
Date approved: 13/06/2026
Next review due: 13/06/2026