Privacy Policy

Last updated: 16 July 2026

IIS Health Ltd is committed to protecting your privacy and handling your personal information responsibly, securely and transparently. This Privacy Policy explains what personal information we collect, how and why we use it, who we may share it with, how long we retain it and the rights available to you. It applies to patients, prospective patients, relatives, carers, visitors, website users and anyone who contacts or interacts with IIS Health Ltd or The Cheshire Hand Clinic.

Who we are

IIS Health Ltd is the data controller responsible for deciding how and why your personal information is used.

IIS Health Ltd
Company number: 08588162

Registered office:
Suite 14
Freckleton Business Centre
Freckleton Street
Blackburn
BB2 2AL

Our hospital:
The Cheshire Hand Clinic
Unit 6 Olympic Way
Birchwood
Warrington
WA2 0YL

Telephone: 0333 240 8090
Email: hello@iishealth.com

If you have questions about this Privacy Policy or how we use your information, please contact us using these details.

The information we collect

Depending on your relationship with us, we may collect and use the following information:

  • your name, title, date of birth and contact details;
  • your address, telephone number and email address;
  • your NHS number, patient number and other identifiers;
  • details of your GP and other healthcare professionals involved in your care;
  • information about your physical or mental health;
  • your medical history, diagnoses, allergies, medications and test results;
  • referral letters, consultation notes, clinical correspondence and treatment records;
  • X-rays, scans, photographs and other clinical images;
  • information about treatment, procedures and aftercare;
  • information provided by a relative, carer or representative;
  • next-of-kin and emergency-contact information;
  • private medical insurance and authorisation details;
  • payment, billing and transaction information;
  • communications with us, including emails, letters and telephone enquiries;
  • appointment and attendance information;
  • complaints, concerns, feedback and survey responses;
  • accessibility, communication or language requirements;
  • information collected when you use our website, including your IP address, browser, device and cookie information;
  • CCTV images recorded in shared areas of our premises, including reception and waiting areas and theatre corridors. CCTV is not used in consultation, examination or treatment rooms.

How we collect your information

We may collect information directly from you when you:

  • contact us or make an enquiry;
  • book or attend an appointment;
  • complete a form or questionnaire;
  • receive care or treatment from us;
  • make a payment;
  • submit feedback, a concern or a complaint; or
  • use our website.

We may also receive information from:

  • your GP or another healthcare professional;
  • hospitals, clinics, laboratories, imaging providers or therapists;
  • the NHS;
  • your private medical insurer;
  • a relative, carer or representative;
  • emergency services;
  • public authorities and regulators; and
  • other organisations involved in your care, where permitted by law.

How we use your information

We may use your personal information to:

  • respond to enquiries and arrange appointments;
  • assess your health and determine appropriate care;
  • provide consultations, investigations, treatment and aftercare;
  • maintain accurate clinical and administrative records;
  • communicate with you and other professionals involved in your care;
  • arrange referrals, tests, imaging, prescriptions or further treatment;
  • manage payments and insurance authorisations;
  • operate and improve our healthcare services;
  • monitor quality, safety and patient outcomes;
  • respond to concerns and complaints;
  • meet safeguarding responsibilities;
  • prevent and investigate fraud or unlawful activity;
  • maintain the safety and security of our patients, visitors, staff and premises;
  • comply with legal, regulatory and professional obligations;
  • establish, exercise or defend legal claims; and
  • manage our website, systems and business operations.

Our lawful reasons for using your information

Data-protection law requires us to have a lawful reason for using personal information. Depending on the circumstances, we may rely on:

  • Contract: where using the information is necessary to provide services you have requested.
  • Legal obligation: where we must use information to comply with the law or regulatory requirements.
  • Legitimate interests: where its use is necessary for the safe and effective operation of our healthcare services or business, provided your rights do not override those interests.
  • Vital interests: where using information is necessary to protect someone’s life.
  • Consent: where we have asked for and received your clear agreement.
  • Legal claims: where information is needed to establish, exercise or defend a legal claim.

Health information is classed as special-category data and receives additional legal protection. We may use it where necessary for:

  • medical diagnosis;
  • providing health treatment or care;
  • managing healthcare services;
  • protecting public health;
  • safeguarding;
  • meeting obligations in the public interest;
  • establishing, exercising or defending legal claims; or
  • another purpose permitted by data-protection law.

Where we rely on consent, you may withdraw it at any time. Withdrawal will not affect any processing that took place before consent was withdrawn or any processing supported by another lawful basis.

Who we may share information with

Where necessary and lawful, we may share relevant information with:

  • consultants, doctors, nurses, therapists and other professionals involved in your care;
  • your GP or referring healthcare professional;
  • hospitals and other healthcare providers;
  • laboratories, imaging providers, pharmacies and therapy services;
  • NHS organisations;
  • private medical insurers;
  • relatives, carers or representatives where you have authorised this or where the law permits it;
  • professional advisers, including lawyers, accountants and insurers;
  • payment, IT, website-hosting, communications and electronic patient-record providers;
  • service providers acting on our behalf under appropriate confidentiality and data-protection arrangements;
  • the Care Quality Commission and other regulators;
  • safeguarding authorities, the police, courts or other public bodies where legally required; and
  • another organisation where necessary to protect someone’s vital interests.

We only share information that is reasonably necessary for the relevant purpose. Organisations processing information on our behalf must protect it and may only use it in accordance with our instructions.

We do not sell your personal information.

Medical confidentiality

Your medical information is confidential. Access is limited to people who need the information to provide your care, administer our services or fulfil a lawful responsibility. Healthcare professionals are also subject to professional duties of confidentiality.

We will not normally disclose confidential medical information without your knowledge or permission unless disclosure is required or permitted by law, necessary to protect you or another person from serious harm, or justified in the public interest.

Electronic patient records

We use a secure, cloud-based electronic patient-record system called Meddbase to manage clinical and administrative information. Access to patient records is restricted to authorised users and controlled using appropriate technical and organisational security measures. We understand that Meddbase stores our patient-record information within the United Kingdom. We periodically review our suppliers and their data-protection arrangements.

CCTV

CCTV operates in shared areas of The Cheshire Hand Clinic for safety, security and crime-prevention purposes.

CCTV may cover areas including:

  • reception and waiting areas;
  • entrances and exits; and
  • theatre corridors and other shared circulation areas.

CCTV is not used in consultation, examination or treatment rooms. Recordings are accessed only by authorised persons and may be disclosed to the police, insurers, legal advisers or other authorised bodies where necessary and lawful. CCTV footage is retained only for as long as reasonably necessary for its purpose, unless it is required for an investigation, complaint, insurance matter or legal claim. Appropriate signage is displayed where CCTV is in operation.

International transfers

We aim to keep personal information within the United Kingdom wherever reasonably possible.

Some service providers or technology suppliers may process or permit access to information from outside the United Kingdom. Where this occurs, we will ensure that an appropriate legal safeguard is in place, such as:

  • an adequacy decision;
  • approved contractual protections; or
  • another safeguard permitted by data-protection law.

You may contact us if you would like further information about safeguards relating to an international transfer.

How long we retain information

We retain personal information only for as long as it is reasonably necessary for the purpose for which it was collected and to meet our legal, regulatory, clinical and professional obligations. Clinical records are retained in accordance with applicable healthcare-record retention guidance and legal requirements.

The length of time we retain other information depends on:

  • the nature and purpose of the information;
  • relevant legal and regulatory requirements;
  • professional guidance;
  • patient-safety and continuity-of-care considerations;
  • insurance requirements; and
  • whether the information may be required for a complaint, investigation or legal claim.

When information is no longer required, it will be securely deleted, destroyed or anonymised.

How we protect your information

We use appropriate technical and organisational measures to protect personal information against accidental loss, misuse, unauthorised access, alteration or disclosure.

These measures may include:

  • secure electronic patient-record systems;
  • access controls and user authentication;
  • limiting access according to a person’s role;
  • staff confidentiality and data-protection training;
  • secure storage and disposal arrangements;
  • system monitoring, backups and security controls; and
  • contractual safeguards with service providers.

No system can be guaranteed to be completely secure. If a personal-data breach occurs, we will investigate it and notify affected individuals and the Information Commissioner’s Office where required by law.

Cookies and website information

Our website may use cookies and similar technologies to operate correctly, remember preferences, understand how visitors use the site and improve its performance. Where required, we will ask for your consent before placing non-essential cookies on your device. You can manage your cookie choices through the cookie controls available on our website. Further information will be available in our Cookie Policy.

Marketing

We do not currently undertake routine email or SMS marketing. If we introduce marketing communications in the future, we will only send them where permitted by law and will provide a clear way to opt out. You may withdraw your marketing consent or ask us to stop sending marketing communications at any time. Messages relating to appointments, treatment, patient safety, service administration or your existing relationship with us are not marketing communications.

Automated decision-making

We do not currently make decisions about your care or treatment solely through automated processing where those decisions would have a legal or similarly significant effect on you. If this changes, we will provide appropriate information about the process and the rights available to you.

Adults-only services

IIS Health Ltd and The Cheshire Hand Clinic provide healthcare services only to adults aged 18 and over. We do not knowingly provide treatment to, or create clinical records for, anyone under the age of 18.

We may occasionally receive enquiries concerning someone under 18. We will use the information provided only as necessary to respond to the enquiry, explain that we cannot provide treatment and, where appropriate, direct the enquirer elsewhere. We will then retain or delete that information in accordance with our legal obligations and retention arrangements.

Your data-protection rights

Depending on the circumstances, you may have the right to:

  • request access to the personal information we hold about you;
  • ask us to correct inaccurate or incomplete information;
  • ask us to delete information where there is no lawful reason for us to retain it;
  • ask us to restrict how information is used;
  • object to certain uses of your information;
  • receive certain information in a portable format;
  • withdraw consent where processing relies on consent; and
  • challenge certain decisions made solely through automated processing.

These rights are not absolute and may be subject to legal, clinical or regulatory exceptions. For example, we may need to retain clinical records even if you ask us to delete them. To exercise a right or request a copy of your information, contact:

Email: hello@iishealth.com
Telephone: 0333 240 8090

We may need to confirm your identity before responding. We will not normally charge a fee, although the law permits a reasonable fee or refusal where a request is manifestly unfounded or excessive.

Complaints about our use of information

If you have a concern about how we use your personal information, please contact us first so that we can investigate it:

IIS Health Ltd
The Cheshire Hand Clinic
Unit 6 Olympic Way
Birchwood
Warrington
WA2 0YL

Email: hello@iishealth.com
Telephone: 0333 240 8090

You also have the right to complain to the Information Commissioner’s Office:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint/

Third-party websites

Our website may contain links to websites operated by other organisations. We are not responsible for the content, security or privacy practices of those websites. You should read the privacy information provided by the relevant organisation before submitting personal information to it.

Changes to this Privacy Policy

We may update this Privacy Policy when our services, systems, suppliers or legal obligations change. The latest version will be published on our website. Material changes may also be brought to your attention through another appropriate method.

The date shown at the beginning of this policy indicates when it was last updated.