top of page


In line with the new GDPR legislation, we would like to make you aware of how we handle the personal data we collect in the course of our business.

Data Controller: Miss Karen Brown


This Privacy Notice explains:

  • What Personal Data Surrey Dermatology holds.

  • Why we hold and process it.

  • Who we might share it with.

  • Your rights and freedoms by Law under the terms of the Data Protection Act 2017 and the requirements of the EU General Data Protection Regulation.

  • How long your data is stored for.

  • How you can complain if you have a problem with your stored data.

Types of Personal Data

  1. Patient clinical and health data and correspondence. This may include contact names, phone numbers, email address and home address, these are all used to be able to identify you and contact you as and when we required to make appointments or give you results. By giving us these details you agree to us holding this data on your files. These files are kept as hard paper copies and also on a secure healthcare system.

  2. Staff employment data.

  3. Suppliers/Contractors’ data.​​

Why we process Personal Data (what is the “purpose”)

  1. “Process” means we obtain, store, update and archive data.

  2. Patient data is held for the purpose of providing patients with appropriate, high quality, safe and effective care and treatment.

  3. Staff employment data is held in accordance with Employment, Taxation and Pensions law.

3. Supplier/Contractors’ data is held for the purpose of managing their contracts.

What is the Lawful Basis for processing Personal Data?

The Law says we must tell you this:

  1. We hold patients’ data because it is in our Legitimate Interest to do so. Without holding the data we cannot work effectively.

  2. We hold staff employment data because it is a Legal Obligation for us to do so.

  3. We hold suppliers/contractors’ data because it is needed to Fulfil a Contract with us.

Data Sharing

  1. We may share your data from time to time, however this is only if it is necessary to do so and done securely. Patient Data may be shared with other healthcare professionals who need to be involved in your care (for example if we need to refer your further). Once data has been transferred to other healthcare providers your information will fall under their Privacy Policy terms.

  2. Employment data will be shared only where necessary such as the requirements to comply with legislation, eg, HMRC, pensions, etc.

    Please note we will NOT share any of your data for any marketing purposes ever.

    Your rights to request Data Access

    We are happy to provide details of all data held in respect of any patient. This will be provided to the patient upon providing proof of identity (proof of name). It will be provided verbally face to face or in printed form and forwarded to the customer free of charge within two weeks or sooner.

    You may request to correct any information that we hold about you that is wrong, or you may have you data removed in certain circumstances. We may in some cases, be able to transfer your data to another person if you choose, however this will be done in a safe and legal way. Any requests with regards to the data we hold for you should be directed to the Data Controller Karen Brown.

    Any data access requests from staff should be directed to Karen Brown, who will provide printed copies free of charge and within two weeks or sooner

How long is the Data stored for?

We will store patient data for as long as we are providing care, treatment or recalling patients for further care. We will archive (that is, store it without further action) for as long as is required for legal purposes as recommended by the NHS or other trusted experts recommend. We must store employment data for six years after an employee has left.



Any complaints should be raised in the first instance to the Data Controller Miss Karen Brown. We will do our best to resolve the matter. However, if you are not satisfied with the way in which your complaint is handled you should direct your complaint to the ICO at

or by telephoning them on 0303 123 1113.

bottom of page