Privacy Policy
Last updated: March 2026
Who We Are
This privacy policy applies to the private practice of Mr Darren Lewis FRCS(Plast), Consultant Plastic Surgeon. Mr Lewis is the data controller for personal data collected and processed through this website and in connection with your care.
For data protection enquiries, please contact the practice by telephone on 0121 663 0737 or by using the contact form on this website.
ICO Registration
Mr Darren Lewis is registered with the Information Commissioner’s Office as a data controller. Registration details can be verified at ico.org.uk.
What Data We Collect
We may collect and hold the following categories of information:
- Personal identifiers — name, date of birth, address, telephone number, email address
- Health information — clinical history, examination findings, diagnoses, treatment records, clinical correspondence, and investigation results
- Financial information — insurance details, billing and payment records
- Communications — enquiries submitted via this website or by telephone or email
How We Use Your Data
We use your personal data for the following purposes:
- To provide and manage your clinical care
- To communicate with you about your appointments and treatment
- To correspond with your GP, referring clinician, or other treating specialists involved in your care
- To process invoices and manage payment
- To comply with our legal and regulatory obligations
Lawful Basis for Processing
We process your personal data on the following lawful bases under UK GDPR:
- Contract — where processing is necessary to provide the clinical services you have requested
- Legal obligation — where we are required to process data to comply with our legal or regulatory duties
- Legitimate interests — for example, in managing the administration of the practice
Health information is special category data under UK GDPR. We process this data under Article 9(2)(h) — for the purposes of preventive or occupational medicine, medical diagnosis, and the provision of health or social care.
Who We Share Your Data With
Your data may be shared with:
- Your GP or referring clinician, for the purposes of continuity of care
- Other treating clinicians involved in your care
- Your private medical insurer, where applicable
- The treating hospital facility at which your care is provided. The hospital operates as an independent data controller for data processed in connection with your hospital stay or procedure. Please refer to the hospital’s own privacy policy for further information.
- Carebit, our practice management software provider, who act as a data processor on our behalf. Carebit hold data securely in accordance with UK data protection law. Further information is available at www.carebit.co
We do not sell, rent, or share your personal data with any third party for marketing purposes.
How Long We Keep Your Data
Clinical records are retained for a minimum of eight years from the date of last treatment, in accordance with NHS and medical defence guidance. Records relating to the treatment of children are retained until the patient’s 25th birthday, or eight years from the date of last treatment, whichever is longer.
Enquiry data submitted via this website but not resulting in a clinical episode will be retained for twelve months and then securely deleted.
Your Rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you (Subject Access Request)
- Request correction of inaccurate data
- Request erasure of your data, subject to our legal obligations to retain clinical records
- Object to processing in certain circumstances
- Request restriction of processing
- Data portability, where applicable
To exercise any of these rights, please contact the practice using the details above. We will respond within one calendar month.
Complaints
If you have a concern about how we handle your personal data, please contact the practice in the first instance. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.
Changes to This Policy
This policy will be reviewed and updated periodically. The date at the top of this page indicates when it was last revised. Continued use of this website following any update constitutes acceptance of the revised policy.
