Privacy Policy

Last updated: 27 May 2026.
This privacy policy is provided in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

Rheumatology Consultancy Limited ("we", "us", "the practice") is the data controller for the personal information described in this policy. Our registered address is Rex Buildings, Alderley Road, Wilmslow, Cheshire, SK9 1HY. The practice is registered with the UK Information Commissioner's Office (ICO) under registration reference ZC080014. You can verify this on the ICO's public register at ico.org.uk.

Clinical care is provided by Dr Liubov Borukhson, Consultant Rheumatologist (GMC 7021928), practising through Rheumatology Consultancy Limited.

2. The information we collect

To provide medical care and run the practice, we may collect and hold:

• Identification and contact details: name, date of birth, address, telephone number, email address.
• Health and clinical information: medical history, symptoms, examination findings, ultrasound and imaging results, blood tests and other investigations, diagnoses, treatments, medications, allergies, and correspondence with your GP and other clinicians.
• Insurance and payment information: insurer, membership/policy number, pre-authorisation codes, billing details. We do not store card or payment details ourselves; payments are handled securely by our designated payment providers.
• Communications: emails, letters, telephone notes, secure messages, and enquiries you send through this website or via WhatsApp. If you contact us via WhatsApp, your message is also subject to WhatsApp's own privacy terms; please do not send sensitive clinical information by WhatsApp and use it for general and appointment enquiries only.
• Website and technical data: if you use this website, limited technical information such as IP address, browser type and pages visited may be processed by our hosting provider for security and reliability. We do not use advertising cookies; optional analytics cookies are only set if you consent through the cookie banner (see section 9).

Health information is "special category" data under UK GDPR and is treated with particular care.

As well as information you give us directly, we may receive information about you from other sources, for example a referral letter and medical history from your GP or another clinician, results from laboratories or imaging providers, and authorisation details from your insurer. We use this information for the same purposes set out in this policy.

3. How we use your information, and our lawful basis

We use your personal data to:

• Provide consultations, diagnosis and treatment, including arranging and interpreting investigations and procedures.
• Communicate with your GP, other treating clinicians and, where applicable, NHS services, for example where a treatment such as infusion therapy is better delivered in an NHS setting.
• Liaise with your insurer for pre-authorisation, claims and billing where you use private medical insurance.
• Manage appointments, send appointment confirmations and reminders, and respond to your enquiries.
• Maintain accurate medical records in accordance with GMC and professional standards.
• Meet our legal, regulatory and accounting obligations.

Our lawful bases under UK GDPR are:

• Article 9(2)(h): the provision of health care, treatment and management of health-care systems, by a regulated health professional bound by a duty of confidentiality (this is the primary basis for handling your health information).
• Article 6(1)(b): performance of a contract with you, for fees, payments and appointment administration.
• Article 6(1)(c): compliance with our legal obligations (for example, tax, accounting and clinical record-keeping requirements).
• Article 6(1)(f): our legitimate interests, such as practice administration, IT security and quality improvement, where these are not overridden by your rights.
• Article 6(1)(a) / 9(2)(a): your explicit consent, where required (for example, sharing information with a third party not otherwise covered).

4. Who we share your information with

We share information only where necessary and with appropriate safeguards. This may include:

• Your GP and other treating clinicians: for continuity of care and in line with GMC guidance.
• Your private medical insurer: where you are using insurance, for pre-authorisation and claims.
• NHS services: where elements of your care, such as infusion therapy, are delivered in an NHS setting, and you have agreed to a transfer of care.
• Laboratories and imaging providers: where investigations are arranged on your behalf.
• Regulators and professional bodies: such as the GMC, the CQC where applicable, or the ICO, where we are required by law or professional duty.
• Our service providers (processors): including secure clinical record systems, IT and email providers, accountants, payment processors, and our website hosting and form provider. Each is bound by a written agreement to protect your information.
• Doctify: our website displays patient reviews via Doctify's verified review service. Doctify processes reviews you choose to submit to them in line with their own privacy notice. We do not share your medical information with Doctify.

We do not sell your personal information, and we do not share it for marketing.

5. International transfers

Your information is stored within the United Kingdom or the European Economic Area wherever possible. Where any of our service providers process data outside the UK/EEA, we ensure that an adequate level of protection is in place, for example via UK adequacy decisions or the International Data Transfer Agreement / Addendum.

6. How long we keep your information

We retain clinical records in line with professional and regulatory guidance for private medical practice in the UK. As a general rule, adult medical records are kept for a minimum of eight years from the end of treatment; records for children and certain specific conditions are kept for longer in accordance with current NHS and professional retention schedules. Financial records are kept for at least six years in line with HMRC requirements. After the relevant retention period, records are securely destroyed.

7. How we protect your information

We use appropriate technical and organisational measures to keep your information secure, including encryption in transit, access controls on a need-to-know basis, secure clinical systems, password and device security, and ongoing staff awareness of confidentiality obligations.

8. Your rights

Under UK GDPR you have the right to:

• Be informed about how we use your data (this policy).
• Request a copy of the personal data we hold about you (subject access).
• Have inaccurate data corrected.
• Request erasure of your data, where applicable (this right is limited for medical records we are required to retain).
• Object to, or restrict, certain types of processing.
• Withdraw consent at any time, where processing is based on consent.
• Data portability, where applicable.
• Not be subject to decisions based solely on automated processing; we do not make any such decisions.

To exercise any of these rights, please contact us using the details below. We will normally respond within one calendar month.

9. Cookies and the website

When you visit our website, we show a cookie banner that lets you choose what is set. The banner distinguishes between:

• Strictly necessary elements that are required for the site and its essential features (such as the embedded Doctify review widgets and the enquiry form) to work. These are always on and cannot be switched off.
• Analytics and other optional cookies, which are only set if you agree. We do not use advertising or marketing cookies, and analytics is only enabled where you have given consent.

You can change your choice at any time by clicking the "Cookie preferences" link in the footer of the website. Some third-party services we use, including the embedded Doctify review widgets, the Google map on our contact page and our website form provider, may set limited cookies or load content from those providers as part of working. These are covered by the providers' own privacy notices. The Google map is provided by Google and is subject to Google's privacy policy.

10. Children

Where we see patients under the age of 18, information about the patient is handled in accordance with this policy. Parents or those with parental responsibility may exercise rights on the child's behalf, in line with current law and professional guidance.

11. Changes to this policy

We may update this privacy policy from time to time, for example if we change how we work or if the law changes. The "Last updated" date at the top of this page shows when the current version took effect.

12. How to contact us, and your right to complain

For any question about your information, or to exercise your rights:

Data Protection Officer (DPO): Dr Vyacheslav Borukhson
Rheumatology Consultancy Limited
Rex Buildings, Alderley Road, Wilmslow, Cheshire, SK9 1HY
Telephone: +44 (0) 20 8152 3999
Email: compliance@rcl.london

If you have any concern about how we handle your information, please contact our Data Protection Officer (above) in the first instance, and we will do our best to put things right. If you remain unsatisfied, you have the right to complain to the UK Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Web: ico.org.uk