Because this is a clinical service, I hold more sensitive information about you than most websites you visit — your medical history as well as your name and contact details. This policy explains what I collect, why, who it is shared with, how long it is kept, and the rights you have over it. It is written to meet the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and I have tried to keep it in plain English.
Who is responsible for your information
The data controller is Lucy's Prescribing Ltd, registered in England and Wales (company number 14782301). Registered office: [registered office address]. The clinic is run by Lucy, an NMC-registered nurse and independent prescriber, and she is the only person with routine access to clinical records.
Lucy's Prescribing Ltd is registered with the Information Commissioner's Office (ICO), registration number [ICO registration number].
For anything relating to your information, contact hello@lucysprescribing.co.uk or call +44 7700 900 118.
What I collect
If you are a client
- Identity and contact details — name, date of birth, address, phone number and email address.
- Health information — your medical history, current medicines, allergies, relevant lifestyle information, consultation notes, treatment plans, prescriptions issued, consent records and any clinical photographs taken with your agreement. This is "special category" data under UK GDPR and is handled with extra care.
- Referral information — the details and proposed treatment plan sent to me by your referring practitioner.
- Payment records — invoices and confirmation of payment. Card payments are handled by the payment provider; I never see or store your full card details.
If you are a referring practitioner
- Your name, business name, contact details, qualifications and insurance details, and records of the referrals we work on together.
If you contact me through the website
- The contact form does not send anything to a server. It opens a pre-filled message in your own email app, so nothing you type is stored by this website — I only receive what you choose to send by email. Please do not include medical history in a first enquiry; that is taken properly at consultation.
Where your information comes from
Directly from you; from your referring practitioner as part of the referral; and, where relevant to your care and with your knowledge, from the dispensing pharmacy or your GP.
Why I use it, and the legal basis
- Providing the prescribing service — assessment, prescribing, record-keeping, aftercare and communication about your appointments. Legal basis: performance of a contract (Article 6(1)(b)); for health information, provision of health care by a registered professional subject to a duty of confidentiality (Article 9(2)(h)).
- Meeting legal and professional obligations — medicines legislation, NMC record-keeping standards, tax and accounting rules. Legal basis: legal obligation (Article 6(1)(c)).
- Protecting you in an emergency — for example sharing information with emergency services during a complication. Legal basis: vital interests (Article 6(1)(d) and Article 9(2)(c)).
- Responding to enquiries and running the practice — legitimate interests (Article 6(1)(f)).
- Defending legal claims — sharing with my indemnity insurer or legal advisers if a claim arises (Article 9(2)(f)).
I do not send marketing. If that ever changes, it would only be with your prior consent, and you could withdraw it at any time.
Who your information is shared with
- Your referring practitioner — the outcome of the consultation, the prescription and relevant clinical notes, so your treatment can go ahead safely. This is the core of how the service works and is explained to you before your consultation.
- The dispensing pharmacy — the prescription and the details needed to dispense it.
- Your GP — only where clinically necessary and normally with your agreement, unless urgent safety concerns mean I must share without it.
- My indemnity insurer, legal or professional advisers — if needed to respond to a complaint or claim.
- Regulators and authorities — the NMC, courts or other bodies where the law requires it.
Your information is never sold or shared for advertising. Where service providers (such as email or secure storage) process data on my behalf, they do so under contract and, if any processing happens outside the UK, only with the safeguards UK GDPR requires.
Cookies and this website
This website sets no cookies and runs no analytics or tracking. The fonts are loaded from Google Fonts, which means your browser requests those files from Google's servers and Google sees your IP address as part of serving them — see Google's privacy policy. Nothing else on the site sends data anywhere.
How long I keep it
- Clinical records — a minimum of 8 years from your last appointment, in line with healthcare record-keeping guidance and my indemnity requirements. If anyone under 18 were ever treated, their records would be kept until their 25th birthday.
- Enquiries that don't become clients — up to 12 months, then deleted.
- Practitioner account and referral records — for the duration of our working relationship and 8 years after the last referral.
- Financial records — 6 years after the end of the relevant financial year, as tax law requires.
How it is protected
Records are stored electronically with encryption and access controls, and any paper documents are locked away and scanned into the record. Access is limited to Lucy. Email is used for correspondence; anything clinically sensitive is sent using password protection or a secure sharing method wherever possible.
Your rights
- Access — ask for a copy of the information I hold about you (a "subject access request").
- Rectification — have inaccurate information corrected.
- Erasure — ask for deletion. Note that clinical records usually must be retained for the periods above, so this right is limited while those obligations apply.
- Restriction and objection — limit or object to certain uses of your information.
- Portability — receive certain information in a reusable format.
To use any of these rights, email hello@lucysprescribing.co.uk. I will respond within one month. There is no fee unless a request is clearly unfounded or excessive.
Not happy with how your information has been handled? Please raise it with me first — see the complaints procedure. You also have the right to complain to the Information Commissioner's Office at ico.org.uk or on 0303 123 1113.
Changes to this policy
Any changes will be published on this page with a new "last updated" date. Significant changes affecting current clients will be flagged directly.