Award winning dermatology service, with over 20 years of experience

Short waiting lists, on some occasions offering same week appointments

Safe environment, in Care Quality Commission approved facilities

Privacy Notice

We collect personal data from you when you are referred to our clinic or use our services.  We will always aim to keep this data secure and use it only for the purposes that we are legally allowed.  

For example, we collect and store information that we receive from your GP and other health professionals when you are referred to us for care.  We will also gather information from you at your appointments and may request historic information from other health clinics of past health episodes if these are relevant to the care we are providing you. We recognise that some of the information we hold will be sensitive.

The information we hold will include:

  • Contact details (name, address, telephone numbers, email)
  • Personal details (gender, date of birth, GP practice, emergency contacts)
  • Medical information (consultation notes, test results, photos of your skin complaint with your consent).
  • Relevant medical history (e.g., from your doctor’s referral).

The information we have access to, but do not directly hold, may include:

  • Historic regional test results necessary for your direct care.
  • Your GP summary record (more information below).

We use all of this information primarily to ensure the safe and effective delivery of care.  Parts of your record may be used for the efficient management of the NHS; to undertake anonymised medical audits that improve our overall care for patients.

If you are referred to us, we may also use your mobile phone number and/or email address to send you Clinical Service Communications.  This includes appointment confirmations and/or reminders, appointment letters, consultation letters, and requests for clinical information relating to your care such as medical assessments/questionnaires.  You may opt-out of communication by SMS or email at any time.

You have a choice about whether you want your information to be used for educational or teaching purposes.  Occasionally we may ask if you are happy for information such as before-and-after treatment photos to be used for this purpose.  We would not disclose any accompanying personal data, however, do note that certain information may potentially be identifying by nature, such as photos of treatment to the facial region.  We will always seek your consent.

gp connect

St Michael’s Clinic has signed the NHS Digital National Data Sharing agreement (NDSA) for GP Connect.  This is a facility used to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes.  GP Connect is not used for any purpose other than direct care.  Authorised clinicians are able to access the GP records of the patients they are treating via this secure NHS Digital service.

Having access to this information is advantageous for providers as it can help streamline the delivery of your care.  Without access, we may have to ask you about your relevant medical history throughout your care with us.  From a privacy, confidentiality, and data protection perspective, GP Connect provides a method of secure information transfer and reduces the need to use less secure or less efficient methods of transferring information, such as email or telephone.

Because the legal bases used for your care using GP Connect are the same as used in other direct care situations, the legal rights you have over this data under UK GDPR will also be the same as those listed herein.

If you do not want us to view this information, you can withhold permission for us to do so when we ask you upon registration or referral.  Your consent status to sharing this data is something you have to contact your GP practice about.

Lawful bases for processing

We collect and use your personal information only when the law allows us to. These laws include:

  • General Data Protection Regulation 2018
  • UK General Data Protection Regulation (‘GDPR’)
  • Data Protection Act 2018
  • Human Rights Act 1998

Under the UK General Data Protection Regulation, we process your data in accordance with the following lawful bases:

  • The data subject (you) have given consent to the processing.
  • Processing is necessary for the performance of a contract.
  • Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Processing is necessary in order to protect the vital interests of the data subject.
  • Processing is necessary for the purpose of the legitimate interests pursed by the controller or third party.

Who else has access to your data

At times, we do need to share information with other health service bodies, to ensure you receive the best care from us and the health service generally, and so that we can administer the service.  We will only send the minimum level of information that is necessary in these cases.

We do employ the services of other organisations who will process your data on our behalf – particularly our IT system suppliers.  These companies will not use your data in anyway outside of this privacy policy and we are ensuring we have agreements in place that makes this clear.

We also need to comply with the any legal requests for information from public bodies – such as the police and government bodies – or to protect you, ourselves, and others.


Our IT systems are modern and robust with security being foremost.  We pride ourselves on maintaining various well-recognised security certifications, such as:

  • NHS Data Security & Protection Toolkit (‘DSPT’) assurance.
  • Cyber Essentials Plus compliance.

We operate in accordance with our local information security policies and strive to maintain a focus on the importance of securely handling patient data through various means such as staff training programmes and technical controls.

Our IT system suppliers will be accredited to sufficient levels of assurance in relation to security and the wider process of data as a Data Processor.  Such certifications may include:

  • NHS Data Security & Protection Toolkit (‘DSPT’) assurance.
  • Cyber Essentials/Plus compliance.
  • ISO certifications such as 27001 (Information Security Management System).
  • ICO certification.

We conduct Data Protection Impact Assessments (‘DPIAs’) before the introduction of any new system or before large scale transfers of information.  This is designed to risk assess the nature of the operation and minimise any resulting risk.

We use reasonable and modern methods to protect your data, but unfortunately no data transmission or storage system is 100% secure.  If you feel that the security of your information has been compromised in anyway then please contact us immediately.  If we become aware of any security issue, then we will contact any individuals that are affected.

Your rights over your data

You have the right to be informed how we use your data.  If you have any queries over and above the contents of this policy then please contact our data protection officer, Mrs Amanda Copeland on

You can also request a summary of the information that we hold of you, or for us to correct any factual data that is inaccurate.  The first request for information will be provided free of charge, but a charge of £10 may be charged for subsequent requests if they are felt to be excessive.

You may ask us to delete information that we hold of you, which we will consider.  However, it is a legal requirement to maintain medical records for a defined period of time (we abide to the current retention schedules contained in the “Records Management Code of Practice for Health and Social Care 2016”) and so these will be considered alongside any request.

To make a request for any of the above, please email us at

Finally, if you are unhappy with how we are managing your personal data, or aren’t happy with our response at any time, then you have the right to file a complaint with the Information Commissioner’s Office.

Use of Your Information Within the NHS & Care Services

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service.  Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards of care provided.
  • Research into the development of new treatments.
  • Preventing illness and diseases.
  • Monitoring safety.
  • Planning services.

This may only take place when there is a clear legal basis to use this information.  All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, only anonymised data is used for research and planning purposes, meaning you cannot be identified, as your confidential information is not used.  If you are happy with this use of information you do not need to do anything.  If you do choose to opt out, your confidential patient information will only be used to support your individual care.

To find out more or to register your choice to opt out, please visit:  

On this web page you will:

  • See what is meant by confidential patient information.
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care.
  • Find out more about the benefits of sharing data.
  • Understand more about who uses the data.
  • Find out how your data is protected.
  • Be able to access the system to view, set or change your opt-out setting.
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone .
  • See the situations where the opt-out will not apply.

You can also find out more about how patient information is used at:

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include the sharing of data with insurance companies or for marketing purposes.  Data would only be used in this way with your specific agreement.

Contact Us

Data and Privacy Policy Enquiries:

General Enquiries: Telephone: 01743 590010, Email:

Address: St Michael’s Clinic, St Michael’s Street, Shrewsbury, Shropshire, SY1 2HE

The legal conditions for processing personal data is public interest or in exercise of official authority and contractual necessity. The legal condition for processing special categories of personal data are Health and Social care or vital interests.

This privacy policy was last updated March 2024

Are you insured?

We accept PMI Patients from all major insurers which makes all Consultations and Treatments FREE. *

*Check your policy for excess and restrictions.