Confidentiality Policy

Last updated: February 2026

Clinic Name: JB Academy of Aesthetics

Registered Provider: Joanne Brannan, MSc, BSc, INP

Version: 1.0

Date Implemented: 6th February 2026

Review Date: 6th February 2027

View our ICO Certificatehere.

1. Purpose of the Policy

JB Academy of Aesthetics is committed to protecting the confidentiality, privacy, and dignity of all patients.

This policy ensures that personal and sensitive information is:

·       Collected lawfully

·       Stored securely

·       Used appropriately

·       Shared only when necessary and legally justified

The clinic complies with the requirements of Healthcare Improvement Scotland (HIS) and all relevant UK data protection legislation.

2. Scope

This policy applies to:

·       Clinical Director

·       Employed staff

·       Self-employed healthcare professionals using the premises

·       Contractors

·       Students or observers

It applies to all formats of information, including:

·       Electronic patient records

·       Paper documentation

·       Photographs and clinical images

·       Emails and text communications

·       Verbal discussions

3. Definitions

Confidential information includes:

·       Personal data (name, address, DOB, contact details)

·       Sensitive health information

·       Treatment records

·       Photographic images

·       Financial information

·       Any information shared in confidence

4. Principles of Confidentiality

JB Academy of Aesthetics adheres to the following principles:

1.     Information is shared on a need-to-know basis only

2.     The minimum necessary information is disclosed

3.     Patients have the right to know how their information is used

4.     Explicit consent will be obtained with required

5.     All staff have a legal and professional duty of confidentiality

5. Legal framework

This policy operates in accordance with:

·       Data Protection Act 2018

·       UK General Data Protection Regulation (UK GDPR)

·       Common Law Duty of Confidentiality

·       Caldicott Principles

·       HIS Quality Framework for Independent Healthcare Services

6.     Responsibilities

     Clinic Director: 

·       Ensuring compliance with HIS Standards

·       Ensuring appropriate data protection measures are in place

·       Managing confidentiality breaches

·       Reporting notifiable incidents

     All staff and Practitioners:

Individuals working within the clinic must:

·        Sign a confidentiality agreement

·       Access only records necessary for their role

·       Securely log out of electronic systems

·       Store paper records securely

·       Avoid discussing patients in public

Failure to comply may result in disciplinary action and / or regulatory reporting.

7.     Secure Storage of information

Electronic Records

·       Password-protected systems

·       Encrypted devices

·       Secure cloud-based storage where applicable

·       Regular data backups

Paper Records

·       Stored in locked cabinets

·       Accessible only to authorized personnel

·       Not left unattended in clinical areas

8. Information Sharing

Confidential information may only be shared:

·       With patient consent

·       For safeguarding purposes

·       Where required by law

·       Where there is a serious risk of harm

Information shared externally will be documented clearly in the patient record.

9. Photography & Social Media

Clinical photographs:

·       Required written consent

·       Must be stored securely

·       Must not be used for marketing without explicit consent

No identifiable patient information will be shared on social media without documented consent

10. Confidentiality

A breach may include:

·       Loss of patient records

·       Sending information to the wrong recipient

·       Unauthoritsed access to records

·       Inappropriate discussion of patient details

In the event of a breach:

1.     The Clinic director must be informed immediately

2.     The breach will be investigated and documented

3.     The information commissioner’s office (ICO) will be notified if required

4.     Healthcare Improvement Scotland will be informed where appropriate

Corrective action will be implemented to prevent recurrence.

11. Patient Rights  

Patients have the right to:

·       Access their records

·       Request correction of inaccurate information

·       Withdraw consent (where applicable)

·       Be informed how their data is used

Requests must be responded to within statutory timeframes

12. Retention and Disposal

Records will be retained in accordance with national retention guidance.

When disposed of, records will be:

·       Shredded securely (paper)

·       Permanently deleted (electronic data)

13. Training

All staff will receive:

·       Confidentiality and data protection training at induction

·       Annual updates

·       Additional training following policy updates

14. Monitoring & Review

This policy will be:

·       Reviewed annually

·       Reviewed following any legislative change.

·       Audited as part of governance compliance.