Version 1.1 — Last updated: 13 March 2026
This page sets out how Clare Connolly Weight Loss Clinic processes personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It includes a summary of our Data Protection Impact Assessment (DPIA), our lawful basis table, and our key safeguards.
| Organisation | Clare Connolly Weight Loss Clinic (LSJ Rejuvenate LTD) |
| Companies House Number | 09987395 |
| ICO Registration Number | ZA165050 |
| Data Protection Contact | [email protected] |
| ICO Register Verification | ico.org.uk/ESDWebPages/Search |
The following table sets out the lawful basis under UK GDPR Article 6 (and Article 9 for special category health data) for each category of processing we carry out.
| Processing Activity | Data Categories | Lawful Basis (Art. 6) | Special Category Basis (Art. 9) |
|---|---|---|---|
| Screening questionnaire assessment | Name, DOB, contact details, health data, body measurements, photos | Contract (Art. 6(1)(b)) — necessary to assess eligibility before entering a service contract | Explicit consent (Art. 9(2)(a)) + Health care provision (Art. 9(2)(h)) |
| Patient portal account management | Name, email, authentication data, portal activity | Contract (Art. 6(1)(b)) — necessary to provide the patient portal service | N/A — no special category data in account management |
| Clinical consultations and prescribing | Medical history, medications, clinical notes, prescribing decisions | Contract (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c)) | Health care provision (Art. 9(2)(h)) — treatment by a health professional |
| Progress tracking (measurements, habits, goals) | Weight, waist, BMI, habits, goals | Contract (Art. 6(1)(b)) — core programme feature | Explicit consent (Art. 9(2)(a)) — patient voluntarily logs health data |
| Appointment scheduling and Teams meetings | Name, appointment date/time, Teams link | Contract (Art. 6(1)(b)) — necessary to deliver consultations | N/A |
| Payment processing | Name, email, payment reference (card details processed by Stripe only) | Contract (Art. 6(1)(b)) — necessary to process payment for services | N/A |
| Transactional email notifications | Name, email address, notification content | Legitimate interests (Art. 6(1)(f)) — keeping patients informed about their care | N/A |
| GDPR data access audit logging | User ID, action type, resource, IP address, timestamp | Legal obligation (Art. 6(1)(c)) — ICO Accountability Framework | N/A |
| Clinical governance and incident reporting | Incident details, risk register entries, audit records | Legal obligation (Art. 6(1)(c)) — CQC registration requirements | Health care provision (Art. 9(2)(h)) where clinical data is involved |
| Marketing communications (opt-in only) | Name, email address | Consent (Art. 6(1)(a)) — explicit opt-in at screening | N/A |
A Data Protection Impact Assessment was conducted for the following high-risk processing activities, as required by UK GDPR Article 35:
Risk identified: Processing of special category health data (medical history, body measurements, clinical notes) for all patients creates a risk of unauthorised access, data breach, or misuse.
Safeguards implemented: AES-256-GCM field-level encryption for all sensitive fields; HTTPS-only transmission; HttpOnly/Secure/SameSite=Strict session cookies; 30-minute inactivity session lock; role-based access control (patient/admin separation); data access audit log recording every read/write; S3 file storage with random key suffixes to prevent enumeration.
Residual risk: Low — mitigated by encryption, access controls, and audit logging.
Risk identified: Collection of full-body photographs creates a heightened privacy risk due to the sensitive nature of the images.
Safeguards implemented: Photos are stored in S3 with non-enumerable random key suffixes; access is restricted to the reviewing admin only; photos are reviewed solely for eligibility purposes; admin guidance requires deletion of photos after the review period; explicit consent is obtained at the point of upload.
Residual risk: Low — mitigated by access controls, consent, and deletion guidance.
Risk identified: Use of an AI/LLM vision model to analyse submitted photos may constitute automated decision-making under UK GDPR Article 22.
Safeguards implemented: The AI analysis is advisory only — a human admin reviews every report before any eligibility decision is made. The AI report is logged and visible to the admin. Patients are informed in the screening questionnaire that photos may be analysed for authenticity. No fully automated decisions are made.
Residual risk: Low — human review ensures Article 22 safeguards are met.
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| Clinical records and health data | 8 years from last contact | NHS Records Management Code of Practice 2021 |
| Financial records and payment data | 7 years from transaction | HMRC record-keeping requirements |
| Screening questionnaires and photos | 8 years (clinical period) | NHS Records Management Code of Practice 2021 |
| Audit logs and governance records | 10 years | CQC inspection evidence requirements |
| HR and staff records | 6 years after employment ends | Employment law and HMRC |
| Marketing consent records | Until consent is withdrawn + 1 year | ICO guidance on consent records |
Patients can exercise the following rights at any time through the My Data & Privacy section of their patient portal, or by emailing [email protected]:
| Right | Article | How to Exercise | Response Time |
|---|---|---|---|
| Access (SAR) | Art. 15 | Patient portal → My Data & Privacy → Subject Access Request | 1 calendar month |
| Rectification | Art. 16 | Patient portal → My Data & Privacy → Correct Your Data | 1 calendar month |
| Erasure | Art. 17 | Patient portal → My Data & Privacy → Request Data Deletion | 1 calendar month |
| Restriction | Art. 18 | Patient portal → My Data & Privacy → Restrict Processing | 1 calendar month |
| Portability | Art. 20 | Patient portal → My Data & Privacy → Data Portability | 1 calendar month |
| Object to processing | Art. 21 | Patient portal → My Data & Privacy → Right to Object | 72-hour acknowledgement; 1 calendar month response |
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
We would ask that you contact us first at [email protected] so we have the opportunity to address your concern before you escalate to the ICO.
© 2026 Clare Connolly Weight Loss Clinic. All rights reserved.