GDPR

Privacy Notice

Confidentiality is at the heart of everything we do, and protecting the privacy of our clients is of utmost importance to us. This privacy notice sets out how Step-by-Step Recovery collects, uses, shares, and protects your personal data in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other relevant legislation.

By continuing to use our services or website, you are consenting to the collection and processing of your data as described below.

Data Controller

Step-by-Step Recovery Ltd (The Lighthouse Rehab Clinic)
1A Southchurch Avenue, Southend-On-Sea, SS3 9BA
Telephone: 01702 296 006
Email: [email protected]

If you are dissatisfied with our response regarding your data, you have the right to lodge a complaint with the Information Commissioner’s Office:
www.ico.org.uk

What Information We Collect

We collect and process personal data relevant to your care, including:

• Contact details (e.g. name, address, phone, email)

• Date of birth, NHS number, National Insurance number

• Health and medical data (physical and mental health)

• Financial and insurance information

• Next of kin and emergency contacts

• Sensitive personal data such as ethnicity, religion, nationality, and residency status

You may be asked to provide this data when enquiring about treatment, completing admissions forms, giving feedback, or via third-party referrals.

Legal Basis for Processing

We collect and process your personal data under the following legal bases:

• Consent: Where you have given clear permission

• Contract: Where data is necessary for providing care or services

• Legal obligation: For compliance with statutory duties, such as health and safety or safeguarding

• Vital interests: Where necessary to protect life

• Legitimate interests: For the efficient management of our services and to improve care delivery

• Public interest: In the area of public health, where applicable

How We Use Your Data

Your data is used to:

• Deliver and manage treatment and care

• Maintain accurate medical records

• Respond to queries or feedback

• Process payments or insurance claims

• Communicate with you or those acting on your behalf regarding treatment or policy updates

• Send relevant service communications (e.g. newsletters or event notices)

Sharing Data with Third Parties

We may share relevant data with third parties for the purpose of onward referrals or accessing related recovery and support services. Data will only be shared where appropriate and proportionate, and with your consent unless there is a legal basis to share without it (e.g. safeguarding concerns or court orders). Third parties are required to handle your information securely and in line with UK GDPR obligations.

We may also share data with:

• GPs and healthcare professionals, where relevant to your care

• Local authorities, safeguarding boards or social care, when legally required

• Insurance providers acting as joint data controllers

• IT service providers who support our systems

• Consultants or contractors (under strict confidentiality agreements)

We do not sell your data to third parties.

Data Security and Storage

Your data is stored securely using a combination of:

• Locked filing systems for paper records

• Encrypted and password-protected digital systems

• Secure cloud storage solutions within the UK or EU, compliant with data protection legislation

Access is restricted to authorised personnel only. All staff are trained in data protection and confidentiality protocols, and policies are reviewed regularly.

Retention of Data

Your personal data will be retained only as long as necessary to fulfil the purposes it was collected for. Clinical records are retained for eight years following your last engagement with us, in accordance with legal requirements.

Contact details may be retained longer unless you request deletion.

Transferring Data Outside the UK

Occasionally, your data may be processed or stored in countries outside the UK or EU. In such cases, we ensure appropriate safeguards are in place (e.g. adequacy decisions or standard contractual clauses) to maintain the security and integrity of your information.

Your Rights

You have the following rights under data protection law:

• Right to be informed about how your data is used

• Right of access to your personal data

• Right to rectification of inaccurate or incomplete data

• Right to erasure (in certain circumstances)

• Right to restrict processing of your data

• Right to data portability

• Right to object to processing based on legitimate interests

• Rights relating to automated decision-making and profiling (if applicable)

Requests can be made by contacting us using the details above. We aim to respond within one month.