Privacy Policy

Our Values

In line with our core values, THE RAINBOW MEDICAL GROUP LTD is committed to protecting and respecting your privacy and being frank about how we use your data. This privacy notice explains why we collect information about you and how we use that information. If you have any questions about how we use and store your information, please email us at [email protected] 

How we use your information

THE RAINBOW MEDICAL GROUP LTD (“We”) manage your information in accordance with existing laws and with guidance from organisations that govern the provision of healthcare in England such as the Department of Health and the General Medical Council.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • GDPR
  • Data Protection Act 2018
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012

You can find useful information on your rights from the Information Commissioner’s Office (ICO) website by clicking here.  

As data controllers, we and clinicians have fair processing responsibilities under the GDPR & Data Protection Act 2018. This means ensuring that your personal confidential data (PCD) is handled clearly and transparently, and in a reasonably expected way. 

The Health and Social Care Act 2012 changed the way that personal confidential data is processed, therefore it is important that you are aware of and understand these changes, and that you have an opportunity to object and know how to do so.

We, and health care professionals who provide you with care, maintain records about your health and any treatment or care you have received. These records help to provide you with the best possible healthcare.

Health records may be processed electronically, on paper or a mixture of both; a combination of working practices and technology are used to ensure that your information is kept confidential and secure. Records held by us may include the following information:

  • Details about you, such as address and next of kin.
  • Any contact the private practice has had with you.
  • Notes and reports about your health.
  • Details about treatment and care received.
  • Results of investigations, such as laboratory tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you.

We collect and hold data for the sole purpose of providing healthcare services to you and we will ensure that the information is kept confidential. However, we can disclose personal information if:

  1. It is required by law.
  2. You provide consent – either implicitly or for the sake of their own care, or explicitly for other purposes.
  3. It is justified to be in the public interest.

We will use the Information you give us to:

  • Provide healthcare services under obligations arising from any contracts entered between you and us relating to healthcare services.
  • Provide you with the information and services that you have requested.
  • Provide you with information about other services we offer that are like those that you have already received.
  • Contact you about changes to our services.
  • Improve our service (this could include any feedback you have given us).

We will use Information that we collect about you to:

  • Improve and administer our website.
  • Help business operations through troubleshooting, testing and data analysis.

Some of this information will be held centrally and used for statistical purposes. Where we hold data centrally, we take strict and secure measures to ensure that individual patients cannot be identified.

Information may be used for clinical audit purposes to monitor the quality of services provided and may be held centrally and used for statistical purposes. Where we do this, we ensure that you cannot be identified.

Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care.

You can choose to withdraw your consent to data being used in this way. When we participate in any new data-sharing scheme we will make you aware by displaying prominent notices on our website at least four weeks before the scheme is due to start. We will also explain clearly what you must do to ‘opt-out’ of each new scheme.

You can object to your personal information being shared with other health care providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.

Use of Artificial Intelligence (AI)

As part of our commitment to providing high-quality, patient-centred care, we use secure, GDPR-compliant AI transcription tools (such as Heidi) to support clinicians during your consultation. The use of AI allows us to enhance your experience while ensuring the highest standards of data privacy and clinical integrity. AI helps transcribe your consultation as it happens, allowing your clinician to focus entirely on you – rather than on typing or paperwork. This ensures that your medical record is comprehensive, accurate, and tailored to your care.

Importantly, no audio recordings are ever stored – transcription occurs live and securely in real time.

1. Purpose of AI Use
We use AI to assist with two key aspects of your care:

  • Real-Time Clinical Documentation: AI helps transcribe your consultation as it happens, allowing your clinician to focus entirely on you – rather than on typing or paperwork. This ensures that your medical record is comprehensive, accurate, and tailored to your care.
  • Medical Data Analysis: AI may also support clinicians by analysing your medical data to identify patterns, summarise clinical notes, and assist with clinical decision-making. However, AI does not make decisions on your behalf – your clinician remains fully responsible for your care.

These tools are used solely to enhance efficiency and improve the quality of care you receive. AI does not replace clinical judgment.

2. How Your Data is Handled
We are committed to handling your information with care, confidentiality, and full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

  • No audio is stored: Your conversation is transcribed live during the consultation; no recordings are kept.
  • De-identification: Your personal identifiers (e.g., name, address) are temporarily replaced with placeholders while AI processes your data.
  • Re-identification: The correct details are securely reinserted into the final medical note, which is then saved to your Electronic Health Record.
  • Data security: All data is encrypted, stored securely within the UK, and accessible only to your clinician.
  • Data use: Your information is never used to train AI models. We do not use your data for secondary purposes such as marketing or product development.

If at any point your data is deleted from your clinician’s records, it is also permanently deleted from our AI system.

3. Patient Consent
We believe in transparency and patient choice.

  • Before your appointment, your clinician will inform you that AI will be used to assist with documentation and data processing.
  • You have the right to opt out at any time. If you do not wish for AI to be used during your session, your clinician will use traditional note-taking methods instead.
  • Withdrawing consent does not impact the quality of care you receive. It simply means AI tools will not be used for your session.
  • Verbal consent is typically obtained at the start of each session. In some cases, written consent may be required – particularly if AI is used to support clinical analysis or decision-making.

For more details about our use of AI, or to withdraw your consent, please speak with your clinician or contact us directly.

How long do we store your information?

We follow guidance issued by the General Medical Council on ‘Records management and retention’ and as such adhere to the ‘Records Management Code of Practice’ published by the NHS. We will keep your identifiable data for no longer than necessary. Medical records will be kept for 20 years, from the date of your last appointment, or 8 years after your death, whichever is sooner.

Risk Stratification

Risk stratification is a process for identifying and managing patients who are at high risk of requiring emergency or urgent care. Typically, this is because patients have a long term condition such as COPD, cancer or other medical condition at risk of sudden worsening.

Information about you is collected from several sources including NHS Trusts and from us. A risk score is then arrived at through an analysis of your de-identified information and is provided back in an identifiable form to your doctor or member of your care team. 

Risk stratification enables your doctor to focus on preventing ill health and not just the treatment of sickness. If necessary, your doctor may be able to offer you additional services.

Please note that you have the right to opt out of Risk Stratification.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the GDPR & Data Protection Act 2018 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality. 

All our staff receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and is strictly on a need-to-know basis.

We always maintain our duty of confidentiality to you. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

Who are our partner clinical organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

  • NHS Trusts
  • Specialist Trusts
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police
  • Other ‘data processors’ 

Access to personal information

You have a right under the GDPR & Data Protection Act 2018 to access/view information we hold about you, and to have it amended or removed should it be inaccurate. You have the right to change your mind and reverse a previous decision. Please contact us if you change your mind regarding any previous choice. This is known as ‘the right of subject access’. If we do hold information about you, we will:

  • give you a description of it.
  • tell you why we are holding it.
  • tell you who it could be disclosed to.
  • let you have a copy of the information in an intelligible form.
  • If we choose not to action your request we will explain the reasons for our refusal.

If you would like to make a ‘subject access request’, or have any concern about how we have handled your data, please email us at [email protected] or call us on 0800 054 1850 or write to:

The Data Controller

THE RAINBOW MEDICAL GROUP LTD

2 The Crescent,

King Street,

Leicester, LE1 6RL

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. To protect your confidentiality, we will ask you to verify your identity before proceeding with any request you make under this privacy notice. If you have asked someone else to submit a request on your behalf, we will ask them to prove they have your permission to act.

Change of your Details

It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect. 

Contacting the Regulator

If you have any concerns about our use of your personal information, please email us at [email protected] or call us on 0800 054 1850 or write to:

The Data Controller

THE RAINBOW MEDICAL GROUP LTD

2 The Crescent,

King Street,

Leicester, LE1 6RL

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:            

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire, SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

Notification

The GDPR & Data Protection Act 2018 requires us to register a notification with the Information Commissioner to describe the purposes for which we process personal and sensitive information. This information is publicly available on the Information Commissioners Office website. You can search for our entry here by clicking here or you can find our entry by clicking here. We are registered with the Information Commissioners Office (ICO).

Cookies

Our website does use cookies to optimise your experience, but you’ll have the option to decline the use of cookies on your first visit to the website. You can set your browser to notify you when you receive a cookie. This enables you to decide if you want to accept it or not. For more information about cookies, including how to set your browser to reject them, please see www.allaboutcookies.org.

Who is the Data Controller?

The Data Controller, responsible for keeping your information secure and confidential is DR JOSEP VILANOVA. Any changes to this notice will be published on our website. We are registered as a data controller under the GDPR & Data Protection Act 2018. You can email the Data Controller at [email protected] 

Any changes to our Privacy Policy will be published on our website. This Privacy Policy was created in March 2023 and will be reviewed in March 2024.