Privacy Policy

1. Policy Statement

The Manchester Vein Clinic views the correct and lawful handling of personal data as integral to its success and dealings with third parties and its employees.

This Policy outlines the procedure for the making and handling of Subject Access Requests (SARs) and includes the required form in Appendix A for the submission of a Subject Access Request to IVS.

2. What do we do when we receive a subject access request?


Checking of identity

2.1 We will first check that we have enough information to be sure of your identity.

Often we will have no reason to doubt a person’s identity, for example, if we

have regularly corresponded with them. However, if we have good cause to

doubt your identity we can ask you to provide any evidence we reasonably need

to confirm your identity. For example, we may ask you for a piece of

information held in your records that we would expect you to know: a witnessed

copy of your signature or proof of your address.


2.2 If the person requesting the information is a relative/representative of the

individual concerned, then the relative/representative is entitled to personal data

about themselves but must supply the individual’s consent for the release of

their personal data. If you have been appointed to act for someone under the

Mental Capacity Act 2005, you must confirm your capacity to act their behalf

and explain how you are entitled to access their information. If you are the

parent/guardian of a child under 16, we will need to consider whether the child

can provide their consent to you acting on their behalf.


2.3 Should you make a data subject access request but you are not the data

subject, you must stipulate the basis under the General Data Protection Regulation Act that you consider makes you entitled to the information.


Collation of information

2.4 We will check that we have enough information to find the records you

requested. If we feel we need more information, then we will promptly ask you

for this. We will gather any manual or electronically held information (including

emails) and identify any information provided by a third party or which identifies

a third party. This is limited to emails held for the last 2 years only.


2.5 If we have identified information that relates to third parties, we will write to them

asking whether there is any reason why this information should not be

disclosed. We do not have to supply the information to you unless the other

party has provided their consent or it is reasonable to do so without their

consent. If the third party objects to the information being disclosed we may

seek legal advice on what action we should take.


2.6 Before sharing any information that relates to third parties, we will where

possible anonymise information that identifies third parties not already known to

the individual (e.g. the Authority employees), and edit information that might

affect another party’s privacy. We may also summarise information rather than

provide a copy of the whole document. The GDPR legislation requires us to provide

information not documents.


Issuing our response

2.7 Once any queries around the information requested have been resolved, copies

of the information in a permanent form will be sent to you except where you

agree, where it is impossible, or where it would involve undue effort. In these

cases, an alternative would be to allow you to view the information on screen at

the Authority.

6.8 We will explain any complex terms or abbreviations contained within the

information when it is shared with you. Unless specified otherwise, we will also

provide a copy of any information that you have seen before.


3. Will we charge a fee?

3.1 We can charge a £10 fee (plus up to £50 for photocopying) for the processing of any Subject Access Request. If we do charge a fee we will inform you promptly of this.


4. What is the timeframe for responding to subject access requests?

We have 40 calendar days starting from when we have received all the

information necessary to identify you, to identify the information requested, and

any fee required, to provide you with the information or to provide an

explanation about why we are unable to provide the information. In many cases,

it will be possible to respond in advance of the 40 calendar day target and we

will aim to do so where possible.


5. Are there any grounds we can rely on for not complying with a subject

access request?


Previous request

5.1 If you have made a previous subject access request we must respond if a

reasonable interval has elapsed since the previous request. A reasonable

interval will be determined upon the nature of the information, the time that has

elapsed, and the number of changes that have occurred to the information since

the last request.



5.2 The Act contains a number of exemptions to our duty to disclose personal data

and we may seek legal advice if we consider that they might apply. Possible

exemptions would be: information covered by legal professional privilege,

information used for research, historical and statistical purposes, and

confidential references given or received by the Authority.

What do we do with your data?

All data is kept on encrypted systems at the Manchester Vein clinic.

At the Manchester vein clinic we take pictures of the treatment area using and encrypted IPad so we can compare your treatment area after you have had the procedure if you require a reveiw with a consultant or clinical vascular practitioner.

On occasion we may use photos of treatment areas only for promotional content however, on arrival you have the option to opt out of images being used for promotional marketing when completing our comnsultation form.

We will never use a patient image without permission.

Enquiry Form

To make an appointment or to request further information, please contact us: