Skip to main content
All CollectionsPrivacyGDPR & Cliniko
How Cliniko helps you comply with UK GDPR
How Cliniko helps you comply with UK GDPR

An overview of UK's version of the General Data Protection Regulation and how Cliniko makes it easier for you to comply.

Jason Goncalves avatar
Written by Jason Goncalves
Updated over a week ago

In addition to being compliant with EU GDPR guidelines, Cliniko also complies with the UK version of the law (simply referred to as UK GDPR). This article outlines what we have done and how we’ve designed our software to make it as easy and stress-free as possible to meet your legal obligations.


GENERAL INFORMATION

Depending on the data in question, Cliniko can sometimes serve as the ‘processor’ or ‘controller’ of your clinic’s information. Topics related to both of these categories are discussed further down in this article.

But for now, we’ll cover some of the broader responsibilities we’ve taken care of, including the following:


Established a Data Processing Addendum (DPA).

This is an additional agreement that is incorporated into our terms of service if applicable. It makes it possible for Cliniko (and our subprocessors) to legally manage your patient information, even though we aren’t physically located in the United Kingdom.


Updated our Privacy Policy and Terms of Service.

To account for the changes in privacy requirements brought on by Brexit, we have updated our Privacy Policy and Terms of Service. Since we were already GDPR compliant, we didn’t need to change much, just a few small updates. You may need to update your privacy policy as well if you haven’t already.


Appointed a Data Protection Officer (DPO).

We previously appointed an in-house Data Protection Officer (DPO) to make sure Cliniko is compliant with EU GDPR. This same person will also serve as the DPO for UK privacy regulations, acting as an advisor and contact person for data subjects and supervisory authorities.

You can contact our DPO by email at dpo@cliniko.com.


Appointed a UK privacy representative.

Since Cliniko doesn’t have a physical presence in the United Kingdom, Article 27 of UK GDPR requires us to appoint a domestic representative to be our point of contact for any questions or concerns about our privacy compliance.

Our UK representative is VeraSafe. You can reach them by email at article27@verasafe.com or by postal mail at:

VeraSafe United Kingdom Ltd.

37 Albert Embankment

London SE1 7TL

United Kingdom


Our subprocessors also comply with UK GDPR.

Cliniko uses a number of third-party tools, known as ‘subprocessors’. These help our software stay efficient and dependable, including things like cloud-based data storage and cloud-based email delivery services.

Each one complies with UK GDPR—we’ve made sure of that. But if you’d like to get more info, we’ve written another help article on our subprocessors where you can learn more.


CLINIKO AS A PROCESSOR OF DATA

According to the legal definitions, you are the controller of your patients’ private information, and Cliniko is the processor. In other words, you determine the purpose and means for the processing we do on your behalf.

We’ve taken steps to give you the tools you need to fulfil some of your privacy obligations and requests from patients. Below is a list of requirements related to your use of Cliniko and how we help you comply with the regulations.


Remove a patient from marketing-related communications.

The GDPR gives patients the ‘Right to Object’. If a client asks you not to send marketing related materials, like emails and SMS texts, it’s your responsibility to make sure they don’t receive any.

Cliniko makes this easy. You can first unsubscribe patients from SMS marketing. Then, when sending a group SMS text, you’ll have the option of declaring a message as ‘marketing-related’ or ‘need-to-know’. If the text is marketing-related, only the appropriate patients will receive it. If it’s need-to-know, the message will be sent to your entire list.

Within the Mailchimp integration, deleting or archiving a patient’s details will automatically unsubscribe them from your email list, so you can be confident they won’t accidentally receive any marketing messages from you.


Modify a patient's details.

GDPR acknowledges people’s ‘Right to Rectification’. If a patient asks for a correction of their personal information in your records, Cliniko makes it easy to edit any personal details that need to be changed.


Provide a patient with a copy of their personal info.

Under GDPR, patients have a ‘Right to Access’ their personal information. They also have the ‘Right to Portability’, meaning that when they request a copy of their info, the data you provide should be easily transferred or imported into another system.

To help you with this obligation, each patient file in your Cliniko account has the option to retrieve all the personal data for a single person.


Delete a patient’s information from Cliniko.

A patient’s ‘Right to Erasure’ (aka their ‘Right to Be Forgotten’), requires you, upon request, to remove any of their information you that have stored. While it is possible to permanently delete a patient from your Cliniko records, we do not advise doing that if you are legally required to hold onto their info for a period of time. We recommend archiving their file instead.

If you’re unsure of your obligations to retain patient records, check with your professional organisation before deleting any patient information.


Record a patient’s consent to your privacy policy.

Under GDPR, you must obtain and record a patient’s ‘lawful consent’ before storing their personal information. Once you’ve received the consent, just tick the box in their Cliniko file to show that they have agreed to your clinic’s privacy policy.


Let patients consent to your privacy policy when booking online.

By including a link to your privacy policy with your online bookings, patients will be required to accept it when booking an appointment online. They can’t complete the booking without giving their consent. Once they have, their file will be automatically updated to show that they agreed to your policy.

We do this because booking an online appointment would require that you store some of their personal information. This way, you can ensure your practice stays compliant no matter how a patient books their appointment.


CLINIKO AS A CONTROLLER OF DATA

We are not the controller of your patients’ data, but we do control your data—like your business details, email address, name, phone number, etc. This means we have the same responsibilities that you have for your patients’ information.

Below, you’ll find the details of how we comply with UK requirements for managing your information, including your right to a full deletion of your Cliniko account and opting out of marketing-related communications.


Delete your Cliniko account.

We can permanently delete your entire Cliniko account if you ask us to. But please note that this is irreversible. All of your information (including patient details) will be gone forever.

We’ve made sure you have the tools you need to download your data before we delete anything. However, we do not advise full account deletion if you are legally required to retain patient records for a period of time. Be sure to confirm your obligations through your professional organisation before deleting your account.


Opt out of marketing communications from us.

If you’d rather not receive marketing emails from us, that’s totally fine. You can opt out of messages that don’t relate to your account (like new feature announcements). Just head to the ‘My info’ section in the menu of your account dashboard and make sure the box under ‘Cliniko marketing’ is un-ticked.

This doesn't mean you'll never hear from us again. We’ll still contact you for other things specifically related to your account (like a past due balance or low SMS credits).


If you have any questions about how Cliniko helps you comply with UK GDPR, reach out to our support team. We’re always happy to help!

Did this answer your question?