Call01256 377 653

Spineworks - Support For your back

Privacy Policy

Spineworks Ltd

Spineworks Ltd (SW) takes the privacy and security of your data very seriously. We understand that your personal data is entrusted to us and we appreciate the importance of protecting and respecting your privacy. To this end we comply fully with the data protection law in force in the UK (“Data Protection Laws”), including the General Data Protection Regulations 2018 and with all the applicable clinical confidentiality guidelines including those published from time to time by the General Medical Council.

From the 25 May 2018, the current Data Protection Act will be replaced by the EU General Data Protection Regulation (GDPR) and a new Data Protection Act. All uses of your information will comply with the GDPR and the new data protection act from that date onwards.

This Privacy Policy, dated 1 May 2018, sets out the basis on which we collect and process personal data about you including our practices regarding the collection, use, storage and disclosure of personal data that we collect from you and/or hold about you, and your rights in relation to that data.

Please read this policy carefully to understand how we process your personal data. By providing your personal data to us so as to use the services Spineworks Ltd provides you are accepting or consenting to the practices as described or referred to in this Privacy Policy.

For the purpose of Data Protection Laws, the data controller is Mr Andrew Quaile FRCS, Consultant Spinal and Orthopaedic Surgeon. Mr Quaile is Medical Director of Spineworks Ltd, a Company Limited Registered in England and Wales Number: 03920318.

When we refer to ‘we’,‘us’,‘our’ and ‘SW” we mean Spineworks Ltd.

When we refer to personal data in this policy, we mean information that can or has the potential to identify you as an individual.

Accordingly we may hold and use personal data about you as a customer, a patient or in any other capacity for example if you access our services or speak to us. Depending upon what services you receive from us this may include sensitive personal data such as information relating to your health.


SW’s key priority is to safeguard the privacy and security of your personal data, while providing a service that meets your needs. This policy outlines the following:

  • the kinds of personal data which may be collected from you by SW;
  • who processes the data and for what purposes;
  • how your personal data may be used for fraud prevention;
  • the measures taken to safeguard your personal data;
  • how SW may communicate with you and how you may unsubscribe from these communications;
  • details of SW data controller.

Please read this policy carefully and ensure that you understand how SW will deal with your personal data.

Core Principles

Where it is a data controller, SW abides by the Data Protection Principles in all of its dealing with your personal data. In particular:

Fairness and transparency. SW will only process your personal data lawfully, fairly and in a transparent manner in relation to you.

Specified purposes. Your personal data will only be collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes.

Data minimisation. Your personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy. Your personal data will be accurate and, where necessary kept up to date. We will strive to ensure that data collected is as accurate as possible. Individuals have the right to ask for details of the data held and to require the amendment or deletion of incorrect or out-dated data within a reasonable time.

Limited storage. Your personal data will be kept in a form which permits identification for no longer than is necessary for the purposes for which the personal data are processed. All manual files and databases will be kept up to date and will have an agreed archiving policy.

Data no longer required for the legitimate purposes of Spineworks Ltd will be regularly purged. A clear rationale will be supplied for data to be kept on our systems.

Integrity and confidentiality. Your personal data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.

Our members of staff are bound by confidentiality agreements.

Data Controllers and Processors

SW is a data controller for any of your personal data that you supply to SW in connection with your application for services from SW.

SW may also engage third party service providers to process data (including personal data) on its behalf and include: another treatment provider if we need to refer you on for further treatment or investigations and those who provide a service to us. SW may add to or vary the data processors used to process your personal data in its sole discretion.

The personal data we collect

When we refer to personal data in this policy, we mean information that can or has the potential to identify you as an individual.

Accordingly we may hold and use personal data about you as a customer, a patient or in any other capacity for example if you access our services or speak to us.

Depending upon what services you receive from us this may include sensitive personal data such as information relating to your health.

The personal data we collect will include;

  • information that you give us when you enquire or become a customer or patient of ours or apply for a job with us. These personal details include your name, address, date of birth, email address, landline telephone number and mobile telephone number.
  • the name and contact details including email and telephone number, of your next of kin;
  • details of referrals, quotes and other contact and correspondence that we may have had with you;
  • details of services and/or treatment you have received from us or which have been received by a third party and referred on to us;
  • recording of calls we receive or make;
  • notes and reports about your health and any treatment or care you have received and/or need, including about the clinic and hospital visits and medicines administered;
  • patient feedback and treatment outcome information that you provide;
  • information about complaints and incidents;
  • information you give us when you make a payment to us such as bank details or credit card;
  • other information received from other sources, such as that provided by other companies who have obtained your permission to share information about you.
  • we also collect any personal data that you may supply to SW in your communications with us that you deem to be important in relation to your continuing treatment such as details of other treatment providers and health insurance details including policy number

Where you have named someone as your next of kin and provided us with that personal data about that individual, it is your responsibility to ensure that the individual is aware of and accepts the terms of this Privacy Policy.

The data that we request from you may include sensitive personal data. This includes information that relates to the mental or physical health or racial or ethnic origin. By providing us with sensitive personal data, you give us your explicit consent to process this sensitive personal data for the purposes set out in this Privacy Policy.

The purposes for which we process your personal data

We may collect and process your personal data about you for the following purposes:

  • when you enquire about any of our services or treatments;
  • when you register to be a customer or patient with us or book to receive any of our services or treatments;
  • to verify your identity;
  • to communicate with you, for instance if you communicate with us by email;
  • to improve and monitor our services;
  • to protect our legitimate interests;
  • to communicate with third parties who provide services to us;
  • to communicate with medical professionals and allied health practitioners (AHP’s) such as physiotherapists, osteopaths, chiropractors, lawyers;
  • to troubleshoot and improve our services.

What personal data may we receive from third parties and other sources

We may collect personal data about you from third parties such as;

  • If you are an employee of one of our corporate clients, for example a doctor, lawyer, private health insurance company or a medical specialist who has taken up or requires one of our services then we may be passed your name, date of birth, address, contact number and email address in order to get in touch with you to arrange an appointment or collect further information from you;
  • We have a number of independent third parties acting on our behalf who may collect personal data from you to allow us to carry out the services we offer, for example if you need to be admitted to a private hospital to have treatment or minor operative procedures, under the care of Mr Andrew Quaile, then your personal data, including sensitive data such as your medical records will be shared not only with the hospital but also with other medical staff such as an anaesthetist or radiologist. You may also need further treatment after your procedure, for example physiotherapy, and therefore your data may be shared for continuity of your care.
  • At all stages you are involved in decisions made about your treatment pathway however in an emergency and if you are incapacitated, we may also process your personal data (including sensitive personal data) or make personal data available to third parties on the basis of protecting your ‘vital interest’ (for example, your life or health)
  • Insurance providers such as BUPA and AXA PPP, will share personal data and medical health information of patients who have commenced a claim for treatment, under the care of Mr Andrew Quaile, at Spineworks Ltd.

How do we use your personal data

Your personal data will be kept confidential and secure and will, unless you agree otherwise, only be used for the purpose(s) for which it was collected and in accordance with this privacy policy, applicable Data Protection Laws, clinical records retention periods and clinical confidentiality guidelines.

Sensitive personal data related to your health will only be disclosed to those involved with your treatment or care, or in accordance with UK laws and guidelines of professional bodies or for the purpose of clinical audits (unless you object). Further details on how we use health related personal data are given below. We will only use your sensitive personal data for the purposes for which you have given us explicit consent to use it.

Please note that, although we have set out the purposes for which we may use your personal data below, we will not use your sensitive personal data for those purposes unless you have given us your explicit consent to do so.

We may use your personal data to:

  • enable us to carry out our obligations to you arising from any contract entered into between you and us, including relating to the provision by us of services or treatments to you;
  • provide you with information, products or services that you request from us;
  • notify you of changes to our services;
  • respond to requests where we have a legal or regulatory obligation to do so;
  • check the accuracy of information about you and the quality of your treatment or care, including auditing medical and billing information for insurance claims as well as part of any claims or litigation process;
  • support your general practitioner, nurse or other health professional;
  • assess the quality and/or type of care you have received (including giving you the opportunity to complete customer satisfaction surveys) and any concerns or complaints you may raise, so that these can be properly investigated;

The security of your data

We will hold and process data in accordance with the Data Protection Act, the General Data Protection Regulation and any other applicable data protection legislation.

We protect all personal data that we hold about you by ensuring that we have appropriate organisational and technical security measures in place to prevent unauthorised access or unlawful processing of personal data and to prevent data being lost, destroyed or damaged. We conduct assessments to ensure the ongoing security of our systems. All information you provide to us is stored securely.

Any personal data you provide will be held for as long as is necessary having regard to the purpose for which it was collected and in accordance with records management NHS code of practice and all applicable UK laws.

SW employees will be responsible for ensuring that all standard data care procedures are fully and conscientiously followed.

All employees have a duty to protect individual’s data from accidental disclosure and SW is required to comply with the following obligations;

  • not give passwords or any other security details to other people, who will then have access to your data.
  • to confidentially shred all documents when they are no longer required;
  • to take due care to ensure that data is not left about on laptops, computers or files either in or out of the office where they can be accessed by unauthorised personnel.

We take great care in the safe custody and use of personal data. All records stored digitally are protected by three levels of password protection. Medical records are regularly backed up to prevent loss of information.

When we will disclose your personal data

If you are a SW customer we may share your personal data, including medical information and other sensitive personal data, in strict confidence with other persons who provide a service to us.

We may also share medical information with those involved in your care or treatment such as General Practitioner, Nurse Practitioner, AHP’s, other specialist medical

treatment providers such as anaesthetist, psychologist, surgeon, radiologist and physician. We may require your treatment provider to supply us with any information relating to your medical health on consulting with them.

Where data is processed by a third party for processing SW will ensure that the data is used in full compliance with the Data Protection Act and implement appropriate security measures to protect the information transferred.

We never share any of your personal data with third parties for marketing purposes. We do not use cookies or google analytics on our Spineworks website.

Health information collected during provision of treatment services

Sensitive personal data, including information relating to your health, will only be disclosed to third parties in accordance with this Privacy Policy. That includes third parties involved with your treatment or care, or in accordance with UK laws and guidelines of appropriate professional bodies. Where applicable, it may be disclosed to any person or organisation who may be responsible for meeting your treatment expenses. It may also be provided to external service providers and regulatory bodies, unless you object, for the purpose of clinical audit to ensure the highest standards of care and record keeping are maintained.

Please note that our processing of your personal data is an essential requirement in order for us to provide services to you.

Medical professionals working with us: We may share clinical information about you with our medical colleagues as we think necessary for your treatment. These medical professionals will be independent consultants either working in private practice or the NHS. If they are working in private practice, the consultant is the data controller of your personal data and will be required to maintain their records in accordance with Data Protection Laws and applicable clinical confidential guidelines and retention periods.

Where that is the case, we may refer you to that consultant to exercise your rights over your data. In all circumstances those consultants will only process your personal data for the purposes set out in this Privacy Policy or as otherwise notified to you.

External practitioners: If we refer you externally for treatment, we will share with the personal or organisation that we refer you to, the clinical and administrative information we consider necessary for that referral. This will always be clear to you when we do tis and done with your consent except in an emergency and if you are incapacitated when we may process your personal data, including sensitive personal data, or make personal data available to third parties on the basis of protecting your ‘vital interest’, for example your life or health.

Your GP: If you have not been referred by your GP but another specialist or health provider we may want to share information with them about your treatment under Mr Andrew Quaile’s care. You can ask us not to do this, in which case we will respect that request if we are legally permitted to do so, but you should be aware that it can be potentially very dangerous and/or detrimental to your health to deny your GP full information about your medical history, and we strongly advise against it.

Your insurer: We share with your medical insurer information about your treatment; its clinical necessity and its cost, only if they are paying for all or part of your treatment with us. We provide only the information to which they are entitled. If you raise a complaint or claim we may we required to share personal data with your medical insurer for the purposes of investigating any complaint/claim.

The NHS: If you are referred to us for treatment by the NHS, we will share your details of your treatment with the part of the NHS that referred you to us, as necessary to perform, process and report back on that treatment.

Medical regulators: We may be requested – and in some cases can be required – to share certain information (including personal and sensitive personal data) about you and your care with medical regulators such as the General Medical Council. For example if you make a complaint, or the conduct of a medical professional involved in your treatment is alleged to have fallen below the appropriate standards and the regulator wishes to investigate. We will ensure that we do so within the framework of the law and with due respect for your privacy.

How we communicate with you

SW may contact you by letter, telephone, e-mail or using contact details supplied by you in relation to your treatment.

If you do not wish to receive information by any of these methods, for instance not by email then please contact us, details below.

Write to the Business Manager, Spineworks, BMI The Hampshire Clinic, Basing Rd, Old Basing, Basingstoke RG24 7AL;

Telephone us between the hours of 8.30 pm to 5 pm on 01256 377653;

E-Mail us at with your name, address and date of birth.

Please allow 5 days for us to make the changes.

Access to your personal data

You have a right to know what personal data we hold about you. We will at your request give you access to your personal information. If the data is subject to the DPA requirement that it must be disclosed, the data will be provided within 10 working days of the request. We may ask you to prove your identity before we take any steps to exercise your rights in respect of your personal data.

Please address subject access requests to SW’s data controller. Such data may be redacted or withheld in various circumstances to protect the rights of third parties and if we consider that it is necessary to protect your or our legitimate interests, or those of a third party.

Any request for data based on a legal requirement, for example a request from police, lawyers or other bodies, must, where possible, be put in writing and checked against the advice of SW’s Data Controller, who may seek independent legal advice before the data is disclosed.

Your personal data is protected by legal rights, which may including your right to:

  • object to our processing of your personal data;

  • request that your personal data is erased or corrected;

  • request access to your personal data.

Please be aware that although you have the right to have the personal data about you corrected this right does not extend to matters of opinion such as medical diagnoses.

If any of your personal details have changed, especially contact information such as: email address, postal address and phone number. For more information to exercise your data protection rights please contact us in writing or email

You also have a right to complain to the Information Commissioner’s Office (ICO) which regulates the processing of personal data. For more information please visit:

Please note that our processing of your personal data is an essential requirement in order for us to provide services to you.

Our Data Controller

You can contact SW with any queries related to your personal data or privacy by writing, telephoning or emailing on

Changes to this privacy policy

We keep our Privacy Policy under review and as a result it may be amended from time to time without notice. Therefore we strongly advise you to review this Privacy Policy regularly on our website

This Privacy Policy was updated on 1 May 2018

If you want to request information about our policy you can contact us, details below:

Address: Spineworks Ltd, BMI The Hampshire Clinic, Basing Rd, Old Basing, Basingstoke RG24 7AL.


Telephone: 01256 377653

Spineworks Ltd, Company No. 03920318 Registered in England and Wales. Registered address: 7 Lindum Terrace, Lincoln LN2 5RP

Coronavirus - COVID-19

Please follow government advice before attending our clinics for an appointment. If you think you are at risk please check the NHS 111 website. Meanwhile take care and we look forward to seeing you soon.