Effective Date: January 2026
Enigma Healthcare (“we”, “us”, “our”) is a private healthcare provider based in the United Kingdom.
We are the Data Controller in respect of your personal data.
We are committed to protecting your personal information and handling it in accordance with:
UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Health and Social Care Act 2008
Applicable CQC standards
Privacy and Electronic Communications Regulations (PECR)
This Privacy Policy explains how we collect, use, store, share and protect your personal data.
We may collect and process the following categories of personal data:
Name, date of birth, gender, address, telephone number, email address, NHS number (where applicable), GP details, next of kin.
Medical history, diagnoses, treatment plans, medications, investigation results, imaging, correspondence from other healthcare professionals, safeguarding information and clinical notes.
Billing address, payment details, insurance policy information, authorisation codes, transaction history.
Appointment bookings, call recordings (where applicable), email correspondence, website enquiries.
IP address, browser type, device information and website usage data (via cookies and analytics tools).
We collect only data that is necessary, relevant and proportionate for the purposes described below.
We process your personal data for the following purposes:
Assessment, diagnosis and treatment
Maintaining accurate medical records
Referrals to other healthcare providers
Clinical audit and governance
Appointment scheduling and reminders
Billing and insurance processing
Responding to enquiries
Meeting obligations under healthcare law
CQC compliance
Safeguarding duties
Public health reporting
Fraud prevention
Service monitoring and improvement
Patient feedback analysis
We may use anonymised data for audit, service evaluation or research. Identifiable data will only be used with appropriate legal basis and safeguards.
Where fees remain unpaid, limited necessary information may be shared with debt recovery agents in accordance with contractual necessity and legal obligations.
Under UK GDPR, we rely on the following legal bases:
Contractual necessity (provision of treatment)
Legal obligation
Legitimate interests (clinic administration and service improvement)
Consent (where required)
Provision of health or social care (Article 9(2)(h))
Public interest in the area of public health (where applicable)
Explicit consent (where required)
We do not rely on consent for core clinical record keeping, as this is processed under healthcare provision legislation.
We may share your personal data where necessary and lawful with:
Other healthcare professionals involved in your care
Laboratories, imaging providers and diagnostic services
Private medical insurers
Regulatory bodies (e.g., CQC, ICO, GMC)
NHS bodies (where required)
Professional advisers (legal, audit)
IT and systems providers (under strict data processing agreements)
Debt recovery agencies (where payment terms are breached)
All third parties are required to process your data securely and in accordance with data protection law.
We do not sell your personal data.
We retain records in line with NHS Records Management Code of Practice (2021, updated guidance applicable in 2026).
Typically:
Adult medical records: Minimum 8 years from last treatment
Children’s records: Until age 25 (or 26 if 17 at conclusion of treatment)
Financial records: Minimum 6 years for tax compliance
Data is securely destroyed when no longer required.
We do not routinely transfer personal data outside the UK.
If we use cloud or IT providers with overseas processing, we ensure appropriate safeguards are in place, such as:
UK International Data Transfer Agreements (IDTA)
UK Addendum to EU Standard Contractual Clauses
Adequacy regulations
We do not use automated decision-making that produces legal or similarly significant effects without human review.
Where digital systems or AI-enabled tools assist in administration or clinical documentation, they operate under appropriate governance and human oversight.
We implement appropriate technical and organisational measures, including:
Encrypted systems
Role-based access controls
Secure cloud storage
Multi-factor authentication
Staff confidentiality training
Data Processing Agreements with suppliers
ISO-aligned information governance processes
While we take robust measures, no electronic transmission is entirely secure.
Under UK GDPR, you have the right to:
Access your personal data
Request rectification of inaccurate data
Request erasure (where legally applicable)
Restrict processing in certain circumstances
Data portability
Object to processing based on legitimate interests
Withdraw consent (where processing is consent-based)
Requests will be responded to within one month unless legally extended.
To make a request, contact us using the details below.
Our website uses cookies in accordance with PECR regulations.
You may control or disable cookies via your browser settings. A separate Cookie Policy provides further details.
We may update this Privacy Policy periodically. The latest version will always be available on our website with the review date clearly stated.
Data Protection Lead
Katie Biddiss
Clinic Director
Enigma Healthcare
Unit 2 Portal Business Park
Eaton Lane
Tarporley
Cheshire
CW6 9DL
Tel: 01829 863331
Email: [email protected]
You have the right to lodge a complaint with:
Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline: 0303 123 1113
Website: www.ico.org.uk
