Effective date: 2008-11-10
Updated on: 2023-05-21


About DMC Healthcare Ltd. and DMC Imaging Ltd.

DMC Healthcare and DMC Imaging Ltd (DMC, the organisation), of 81,Bellegrove Road, Welling, Kent DA16 3PG are Controllers of the personal data we hold. We are registered with the Information Commissioner’s Office as a Data Controller and our registration numbers can be found by searching the ICO Register using this link. DMC take your privacy seriously and we want to provide you with information about your rights, who we share your information with and how we keep it secure.

How we use your information (our ‘purposes’)

DMC collects and uses your information for the following purposes:

  • To provide you with healthcare when you visit our Primary Care, Radiology, Dermatology or Endoscopy services (includes recording for training and legal defence purposes).
  • To provide our services and report to our Commissioners about the service we provide to you.
  • To anonymise and use your data for research into better care and practice.
  • To keep our patients, visitors and staff safe when visiting site with the use of CCTV, for example.
  • We also process personal data as part of this website, please see the separate notice at the bottom of the screen to find out about this.

In the sections below we will provide more detail about what we collect, what we use it for, and our lawful basis to use it.  The UK General Data Protection Regulation (UK GDPR or GDPR) defines several lawful bases and Controller must specify in webpages such as this one which lawful basis we are relying on when using your information.

To provide you with healthcare

What do we use your information for? 

Your doctor, radiologist, dermatologist and other health professionals caring for you, such as nurses and reception staff, all need to keep records about your health and treatment so that they are able to provide you with the best possible care. These records are called your ‘health care record’ and may be stored in paper form or on computer and other electronic systems.

As part of this, we use your information to:

  • Refer you to other healthcare providers when you need other service or tests​
  • Discuss or share information about your health or care with other health or social care providers
  • Share samples with laboratories for testing (like blood samples)
  • Share test results with hospitals or community services (like blood test results)
  • Allow out of hours or extended hours GPs to look at your health record when you are going to an appointment
  • Send prescriptions to a pharmacy
  • Text you in relation to healthcare services and appointments
  • Provide your samples to the courier for delivery to pathology
  • Share reports with the coroner
  • Receive reports of appointments you have attended elsewhere such as with the community nurse or if you have had a stay in hospital
  • Produce medical reports on request from third parties such as the DVLA or your employer, but only when you have provided prior consent
  • Movement of your patient records to Primary Care Support England

What information do we collect? 

We collect the following:

  • basic details about you, such as address, date of birth, NHS number, and next of kin
  • ​contact we have had with you, such as clinical visits
  • notes and reports about your health
  • details and records about your treatment and care
  • results of x-rays, laboratory tests etc
  • information about your sexual life or home life
  • information about ethnicity and religion

What is our lawful basis for using your information? 

Healthcare providers are permitted to collect, store, use and share this information under Data Protection Legislation (the UK  General Data Protection Regulation)which has a specific section related to healthcare information.

This is called a ‘lawful basis’.  Where we are deemed to be a data controller, our lawful basis for using your personal data is UK GDPR Article 6(1)(e) – a task carried out in the public interest or in the exercise of official authority.  We have an NHS contract to provide our services.

We can also only use your health and other ‘special category’ or sensitive information if we apply an exception.  These are in UK GDPR and we use Article 9(2)(h) – for the provision of healthcare.

Please be aware that administrative staff will often access information addressed to a particular clinician to allow us to manage high volumes of communication. They are bound by confidentiality in the same way as the clinician is and will keep your information private.

About children and young people

Young people from aged 16 are allowed to make decisions about how their health information is used and shared.  They are deemed competent from this age to make decisions about their own healthcare.  Under these circumstances, unless the young person agree, a parent or guardian will not be provided with information about the care of the young person .

Where the young person is under 16, case law allows the health care professional to decide that the individual is competent enough to make a decision about their own healthcare.  Equally, under those circumstances, a parent or guardian will not be provided with access to information about the care of the young person.

Conversely, should a health care professional deem that the young person who is under 16 years of age cannot make the decision themselves, then parents or guardians will be invited into the discussion.

Parents or guardians of those under 16 should note that the application of competency (sometime called Gillick competency) may apply to some or all elements of the confidential information about the young person.

To provide our services, report to our commissioners and contribute to national NHS data sharing initiatives

What do we use your information for? 

Along with activities related directly to your care, we also use information in ways which allow us to check that care is safe and provide data for the improvement and planning of services.

  • Quality/ payment/ performance reports are provided to service commissioners
  • Undertaking clinical audits locally to ensure safety and efficiency
  • Sending practice information to other NHS bodies for national audits that are required by law (e.g., NHS Digital Audit Data Collection )
  • Sending patient information to NHS Digital for Research and Planning Purposes. Find Out More about how Patient Data is Used for Planning Research.
  • Supporting staff training
  • Incident and complaint management
  • As part of ad hoc clinical research – information that identifies you will be removed, unless you have consented to being identified

What is our lawful basis for using your information? 

When we use your information to conduct audits and manage our services to you, our lawful basis is UK GDPR Article 6(1)(e) – a task carried out in the public interest or in the exercise of official authority.  When use your health information for this purpose, we rely on the exception of the management of healthcare systems in Article 9(2)(h).

When we anonymise your information to use it for an ad-hoc clinical research purpose, we rely on our legitimate interests (Article 6(1)(f)) to understand and develop new methods of care for individuals and the research exception in Article 9(2)(j).

Do we transfer any of your information outside of the UK?

For your radiology service, we employ the services of Apollo Radiology International (ARI) to provide out of hours support and to allow us to provide a round the clock service.  The radiologists are based in India and have ‘view only’ remote access to your personal data to the same systems (based here in the UK) that our UK radiologists use.  No data are allowed to be taken out of the system, and we have strong security controls around access.  All radiologists are registered with the Royal College of Radiologists.

As required by UK GDPR, we have put contracts in place with ARI (called International Data Transfer Agreements) which are mandated by the Information Commissioners Office and which protect your personal data.

To help keep our visitors and staff safe

What do we use your information for?

DMC Healthcare Ltd has installed CCTV at the following locations;

Dulwich Medical Centre – SE22 9EP
Chadwick Road Surgery – SE15 4PU

External Front Entrance
External Front Car Park
External Rear Car Park
External Back Entrance
Upstairs Waiting Room
Reception & Waiting Room
Downstairs Corridor
Upstairs Corridor

Our purpose for using CCTV is in order to protect patients, staff and visitors from abuse or incidents of crime. This is a common measure employed by organisations as a deterrent for anti-social behaviour and allows DMC Healthcare Ltd to assist police where an event does occur. The ability to employ measures to protect individuals on the premises and ensure that staff and patients feel safe on site is crucial to allow DMC Healthcare Ltd to deliver services to data subjects and so is lawful in order to support our legitimate interests.

What is our lawful basis?

Under UK GDPR our lawful basis for the use of CCTV is therefore Article 6(1)(f) – legitimate interests. DMC Healthcare Ltd has also ensured that the CCTV is only in place in the more public areas of the premises and that surveillance does not extend to clinical areas or washroom areas where the individual would have a reasonable expectation of privacy. The recordings are kept securely, with limited access for 28 days. You can ask for a copy of recordings or raising objections or concerns by contacting our Data Protection Officer.

Sharing your information when required to by Law

Sometimes we will be required by law to share your information and will not always be able to discuss this with you directly. Examples might be for the purposes of detection or prevention of crime, where it is in the wider public interest, to safeguard children or vulnerable adults, reporting infectious diseases or where required by court order.

Care Quality Commission access to health records

The CQC has powers under the Health and Social Care Act 2008 to access and use your health information where it is necessary to carry out their functions as a regulator. This means that inspectors may ask to look at certain records to decide whether we are providing safe, good quality care. More information about the CQC can be obtained on their website https://www.cqc.org.uk/about-us/our-policies/privacy-statement

To share with the CQC we will rely on the lawful basis of UK GDPR Article 6(1)(e) – a task carried out in the public interest or in the exercise of official authority, and the Article 9(2)(i) exemption of ensuring high standards of quality and safety of healthcare.

The suppliers we use to support our services (data processors)

We use a number of providers who process your personal data on our behalf.  All providers are bound by contract to keep your information safe and in line with UK GDPR requirements.

Provider Website
Confidential Waste
Shred-It https://www.shredit.co.uk/en-gb/home
BIFFA https://www.biffa.co.uk/
PHS https://www.phs.co.uk/about-us/our-brands/wastemanagement
SRCL Clinical Waste http://www.srcl.com/
Couriers / Delivery
City Sprint https://www.citysprint.co.uk/
Capita https://www.capita.com/
Multi-Functional Devices
ASL www.asl-group.co.uk
Video Consultation
Zoom https://zoom.us/
EConsult https://econsult.net/
Microsoft Teams https://www.microsoft.com/en-gb/
Healthcare Software
Health Intelligence https://health-intelligence.com/
Biotronics3D Limited https://www.3dnetmedical.com/public/
Prescribing Services Eclipse Live https://www.prescribingservices.org/
AccurX https://www.accurx.com/
Informatica (Audit+) https://www.informatica.com/gb/
Website Hosting / Mailing
NHS Choices https://www.nhs.uk/
Webpost https://webpost.com/
Clarity Team Net https://clarity.co.uk/teamnet/
Rydon Maintenance http://www.rydon.co.uk/
Healthcare Hardware
Numed https://www.numed.co.uk
Keystream https://key-stream.com/
IT Service Provider
NELCSU www.nelcsu.nhs.uk/
Digital Redaction / Scanning
iGPR www.igpr.co.uk/
Notespace https://www.oasisgroup.com/services/notespace.6453.html
Payroll / Finance
Sage https://www.sage.com/en-gb/
QX Ltd https://www.qxltd.com/
EdenRed www.edenred.co.uk
Associations / Groups / Providers
Medical Defence Union https://www.themdu.com/
Dispex www.dispex.net
Provision of Clinical System
Vision Health https://www.visionhealth.co.uk/
E-Referrals https://digital.nhs.uk/services/e-referral-service
e-LH www.e-lfh.org.uk
Invicta Health e-learning https://invictahealth.co.uk/provide/invicta-health-learning/
HR / Employment
Peninsula HR https://www.peninsulagrouplimited.com/
Interface https://www.interface-cs.co.uk/
Vision Primary Care Training https://visionpct.co.uk
Iplato https://www.iplato.com/
Hospify https://www.hospify.com/
Hitec- Retina Security http://hi-techsecurityandfire.co.uk/
Survey Monkey https://www.surveymonkey.com/
EMIS Web https://www.emishealth.com/products/emis-web
Hornsey Consulting Ltd. https://hornseyconsulting.co.uk/

Newly added providers

Insource Ltd (Data Analytics)      https://www.insource.co.uk/             Added 14th August 2021

Apollo Radiology International     Apollo Radiology International | Hyderabad | India (apolloradiologyintl.com)

Information Rights

Data protection law provides you with a number of rights that we are committed to supporting you with;

Right to Access

You have the right to obtain:

  • Confirmation that your information is being used, stored or shared by us
  • A copy of information held about you

​We will respond to your request within one month of receipt or will tell you when it might take longer.

​We are required to validate your identity including the identity of someone making a request on your behalf​

Right to Object or Withdraw Consent

  • We mainly use, store and share your information because we are permitted in order to deliver your healthcare but you do have a right to object to us doing this.
  • ​Where we are using, storing and sharing your information based on explicit consent you have provided, you have a right to withdraw that consent at any time.
  • ​You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used: for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.
  • Visit nhs.uk/your-nhs-data-matters to opt out.

Our Data Protection Officer will be happy to speak with you about any concerns you have.

Right to Rectification

If information about you is incorrect, you are entitled to request that we correct it. There may be occasions, where we are required by law to maintain the original information – our Data Protection Officer will talk to you about this and you may request that the information is not used during this time. ​We will respond to your request within one month of receipt or will tell you when it might take longer.

​Information Technology

We will use third parties to provide services that involve your information such as;

  • Removal and destruction of confidential waste
  • Provision of clinical systems
  • Provision of connectivity and servers
  • Digital dictation services

Data analytics or warehousing (these allow us to make decisions about care or see how effectively the organisation is run – personal data will never be sold or made available to organisations not related to your care delivery).

​We have contracts in place with these third parties that prevent them from using it in any other way that instructed. These contracts also require them to maintain good standards of security to ensure your confidentiality.

Keeping Your Information Safe

We are committed to ensuring the security and confidentiality of your information.

There are a number of ways we do this;

  • Staff receive annual training about protecting and using personal data
  • Policies are in place for staff to follow and are regularly reviewed
  • We check that only the minimum amount of data is shared or accessed
  • We use restricted access to systems, this helps to ensure that the right people are accessing data – people with a ‘need to know’
  • We use encrypted emails and storage which would make it difficult for someone to ‘intercept’ your information
  • We report and manage incidents to make sure we learn from them and improve
  • We put in place contracts that require providers and suppliers to protect your data as well
  • We do not send your data outside of the EEA

How Long Do We Keep Your Information?

In line with the Department of Health Code, we will retain / store your health record for your lifetime. When a patient dies, we will send your record to Primary Care Services England review the record and generally it will be destroyed 10 years later, unless there is a reason to keep it for longer. ​If you move away or register with another provider, we will send your records to the new provider. Our CCTV  is kept for no longer than 30 days and then overwritten.

Asking questions about our use of your personal data and making a complaint

If you have any questions or wish to make a request in relation to your personal data, please contact us using the details on our main page or contact our Data Protection Officer at dpo.dmchealthcare@kdpc.uk. Our Data Protection Officer (DPO) service is provided by Kaleidoscope Consultants Ltd. When we ask for their support, we will aim to remove any reference to individual patients. Where this is not possible, we will use the minimum necessary to allow us to obtain advice and support. You can find out more about Kaleidoscope Consultants Ltd at www.kaleidoscopeconsultants.com.

You also have the right to complain, and you can do that in the first instance through our DPO.  If you are not happy with the response, you also have the right to complain to the UK Information Commissioner’s Office, their details are as follows:

Clinical Effectiveness

Clinical effectiveness means ensuring that all aspects of service delivery are designed to provide the best outcomes for patients. This is achieved by ensuring that the right care is delivered to the right person at the right time they are in need and in the correct setting.


A patient’s information should always be up to date and correct on any systems used. It should also be confidential through correct storage and management of data.

Risk Management

Risk Management involves having robust systems in place to understand, monitor and minimise the risks to patients and staff and to learn from mistakes. When things go wrong in the delivery of care, our staff teams should feel safe admitting it and be able to learn and share what they have learnt, which embeds change in practice.

Patient & Public Involvement

Communication with patients and the public is essential to gain insight on the quality of care we deliver, and any possible problems that can result. Public involvement is equally as important to ensure that patient and public feedback is used to improve services into day-to-day practice for better patient outcomes.

Education & Training

This encompasses the provision of appropriate support to enable staff to be competent in doing their jobs and to develop their skills so that they are up to date. Professional development needs to continue through lifelong learning.

Staff Management

This ensures the organisation recruits highly skilled staff and aligns them with the correct job roles. Staff are supported in professional development and to gain and improve their skills.


The aim of the audit process is to ensure that clinical practice is continuously monitored and that deficiencies in relation to set standards of care are remedied. Research goes alongside audits to pioneer best practice improvements.