Privacy Notice

Private Dermatology Practice — Sutton Coldfield

Last updated: May 2026

This privacy notice explains how your personal information is collected, used and protected when you receive care from this private dermatology practice.

Data Controller:

–  Dr Aaron Wernham, Consultant Dermatologist

– Spire Little Aston Hospital, Sutton Coldfield

– Email: via contact form 

ICO Registration Number: [ ZB039162 ]

In order to provide you with dermatological care, we may collect and hold the following information:

– Full name, date of birth, address

– Contact telephone number(s) and email address

– GP details and referral information

– Medical history relevant to your skin condition and general health

– Details of medications, allergies and previous treatments

– Clinical notes, examination findings and diagnoses

– Photographs of skin lesions or conditions (with your consent)

– Results of investigations such as biopsies or patch testing

– Correspondence with other healthcare professionals involved in your care

– Appointment history and attendance records

– Invoicing and payment records (but not payment card details)

We process your personal data under the following lawful bases under UK GDPR:

– Article 6(1)(b) — Processing is necessary for the performance of a contract (i.e. your care with this practice)

– Article 9(2)(h) — Processing of special category health data is necessary for the purposes of medical diagnosis and the provision of healthcare

We also have a professional and legal obligation to maintain accurate medical records as part of our duty of care to you.

Your information is used solely for the following purposes:

– Providing you with dermatological diagnosis, treatment and ongoing care

– Communicating with your GP or other clinicians involved in your care, where relevant

– Issuing invoices and maintaining financial records

– Complying with our legal and regulatory obligations as a registered clinician

We do not use your personal data for marketing purposes, and we do not sell your data to any third party.

Your information is treated in strict confidence. We may share it in the following limited circumstances:

– With your GP or referring clinician, where clinically appropriate and where you would reasonably expect this as part of your care

– With other healthcare professionals (e.g. histopathology laboratories, specialist colleagues) directly involved in your treatment

– With NHS or private hospitals where procedures are carried out on your behalf

– Where we are legally required to do so (for example, reporting certain communicable diseases or responding to a court order)

We will always seek your consent before sharing information in circumstances outside of those listed above.

We retain patient records in line with professional guidance from the British Medical Association (BMA) and Medical Defence Union (MDU):

– Adult patient records are retained for a minimum of 8 years from the date of last treatment

– Where records are held electronically, data is deleted and storage is overwritten in accordance with recognised data destruction standards.

We take the security of your personal information seriously. Our security measures include:

– Patient records are held on an encrypted, password-protected local system using BitLocker drive encryption

– Access to the system is protected by multi-factor authentication (MFA)

– No patient data is stored in cloud-based systems or transmitted to external servers

– Physical premises are secure, with access restricted to authorised personnel only

– Paper records, where they exist, are stored in locked filing cabinets

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we are legally required to notify the Information Commissioner's Office (ICO) within 72 hours, and will also notify you directly where required.

Under UK GDPR, you have the following rights in relation to your personal data:

Right of access

You have the right to request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month.

Right to rectification

If you believe any information we hold is inaccurate or incomplete, you may ask us to correct it.

Right to erasure

In certain circumstances, you may ask us to delete your personal data. Please note that this right is limited where we have a legal or professional obligation to retain records.

Right to restrict processing

You may request that we restrict how we use your data in certain circumstances.

Right to object

You may object to processing of your personal data in certain circumstances, including where processing is based on legitimate interests.

Right to data portability

Where processing is based on your consent or a contract, you may request your data in a portable, machine-readable format.

To exercise any of these rights, please contact us using the details in Section 1. We will respond promptly and without charge.

If you have a concern about how we handle your personal data, please contact us in the first instance and we will do our best to resolve it.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time:

– Website: www.ico.org.uk

– Telephone: 0303 123 1113

– Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We review this privacy notice periodically and will update it when our practices change or when required by law. The current version will always be available on our website and at the practice. Any material changes will be communicated to active patients directly.

This notice was prepared in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.