SANDS Private Health Clinic LTD maintains this website to provide general information, education and communication about the multi- disciplinary services we provide.

The information on this website should not be construed as specific medical advice or recommendation. SANDS Private Health clinic its directors and officers, do not guarantee that the information contained on this website is accurate or complete and do not endorse opinions that may be presented on it. The information is subject to change from time to time without notice. SANDS Private Health clinic ltd is not responsible for any actions resulting from the use of this information either by physicians or other persons.

Information contained on this website is not a substitute for a consultation and physical examination by a trained physician. Only discussion of your individual needs with a qualified practitioner will determine the best method of treatment for you.

All information contained within the SANDS Private Health clinic Ltd website is the copyrighted property of SANDS Private Health clinic. Reproduction, redistribution or modification of the information for any purpose is prohibited without the express written permission of SANDS Private Healthcare Ltd.

The information, views, and opinions contained on SANDS Private Health clinic Ltd’s client testimonial web pages are those of individuals and do not necessarily reflect the views and opinions of SANDS Private Healthcare.

Although SANDS Private Health clinic Ltd undertakes reasonable efforts to keep the information contained in its web pages accurate, SANDS Private Health clinic Ltd does not warrant the accuracy completeness, timeliness, merchantability or fitness for a particular purpose of the information contained in this website. In no event shall SANDS Private Health clinic Ltd be liable to you or anyone else for any decision made or action taken by you in reliance on such information.

SANDS Private Health clinic Ltd, its directors and officers, will not be responsible for any information found on linked web sites or their associated links. The links are provided for the convenience of the reader and not as an endorsement of their contents.

The information provided by our clients is not independently verified by SANDS Private Health clinic Ltd. The views expressed and materials presented represent the personal views of individual clients and do not represent the opinion of SANDS Private Health clinic Ltd. SANDS Private Health Clinic assumes no responsibility for the content of individual member web pages.

The photos on this web site are not intended to represent the results that every patient can expect. Results can vary greatly from patient to patient.

Please be aware that we have a number of self-employed practitioners who work out of our clinic, that are individually responsible for your treatment/care.

For any offers on our website, terms and conditions will apply, and these will be easily accessible.


Data Protection, GDPR & Confidentiality Policy

At SANDS Private Health Clinic we abide by current data protection law requirements.

The Data Protection Act 1998 (the Act) sets out the requirements for handling personal and sensitive personal data as follows:

(i) under the Act, every organisation that processes personal information must notify the Information Commissioner’s Office (ICO) that they do so and have a registered data controller;

(ii) personal data is data that identifies living individuals. Sensitive personal data is information about racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, membership of a trade union, physical or mental health or condition, sexual life, and the commission or alleged commission of any offence and any related proceedings;

(iii) processing data includes obtaining, recording, storing, using, disclosing information as well as alteration and destruction; and

(iv) the Act applies to all forms of media, including paper and images.

Management of records; we maintain patient records and store them safely and in good condition for eight years from the date of the patient’s last visit to or, if the patient is a child, until his or her 25th birthday, or 26th birthday if the patient was 17 at the conclusion of treatment.

Patient records include such information as:

(i) the patient’s personal data;(ii) the case history of the patient; (iii) the patient’s consent to assessment and care; (iv) the assessment and reassessment of the patient’s health and health needs (including the outcomes of further investigations); (v) the diagnosis or rationale for care (or both); (vi) the initial and reviewed plans of care for the patient; 

(vii) the care provided to the patient (including any advice given face to face or over the phone); (viii) any referrals; (ix) clinical images; and (x) copies of correspondence.

The requirement of eight years is in line with the requirements that cover general NHS hospital records and other forms of health records. The purpose of this requirement is to make sure that the patient can have access to their recent health records and to provide protection for you if any complaints are made.

SANDS Private Health Clinic LTD have made sure that plans are in place to ensure the safe keeping of patient records in the event of retirement or death (which might include entering into a contract with an organisation or other healthcare professional to hold this responsibility). It is our responsibility to have made provisions in our wills for the safe storage of patients’ records.

These can then be released to a patient or their legal representative on production of the written authority of the patient; and (ii) in the closing of practice, we must publicise the arrangements that we have made to keep the records safe so that patients know how to obtain their records if they want to.

Protecting confidential information:

We must effectively protect personal information against improper disclosure. We must not disclose information about a patient, including the identity of the patient, either during or after the lifetime of the patient, without the consent of the patient or the patient’s legal representative. We must make sure that any personal information about patients that we hold or control is effectively protected at all times against improper disclosure.

It is expected that: (i) neither us nor any members of our staff or colleagues will release or discuss personal or care related information about a patient with anyone, including their spouse, partner or other family members unless you have the patient’s valid consent to do so.

(ii) patient records are handled in a way that prevents them being seen by others, please refer to the records keeping policy.

(iii) paper-based record systems are secure and cannot be accessed inappropriately whether you are on or off the premises;

(iv) electronic recording systems are safe from access from outside the practice, the security and integrity of data is maintained and the system is safely backed-up at regular intervals; and

(v) records are disposed of securely and in a manner that maintains patient confidentiality.

Please see our Record Management policy.


Consent to disclose confidential information:

Appropriate information sharing and data collection is essential to the efficient provision of safe, effective care both for individual patients and for the general public. There are times where it may become appropriate to disclose information to another healthcare profession or disclose information for clinical audit or research purposes. Prior to disclosure of any patient information you must seek and record patient consent.

You must: (i) ensure that patients know about any disclosures necessary for their care or for evaluating and auditing care so they can object to such disclosures if they wish to; (ii) obtain and record a patient’s express consent before providing personal information about them to others. (iii) ensure any member of staff working with the company, understands that they are also bound by a duty of confidence, whether or not they have professional or contractual obligations to protect confidentiality; and (iv) disclose only the information you need to.

It is good practice to anonymise data if this can still serve the purpose of the person asking for the information. This means removing all identifiable information about the patient including, for example, their name, address, date of birth, images or anything else that might serve to identify them. Disclosure of confidential information without consent If disclosure is required by law (statutory disclosure), or by a person or authority having a legal power to make such a demand, then you are legally bound to comply.

There are exceptions to the general rule of confidentiality where disclosure can be made to a third party.

These are: (i) if you believe it to be in the patient’s best interests to disclose information to another health professional or relevant agency; (ii) if you believe that disclosure to someone other than another health professional is essential for the sake of the patient’s health and wellbeing (for example, if the patient is at risk of death or serious harm); or (iii) if having sought appropriate advice you are advised that disclosure should be made in the public interest (for example, because the patient might cause harm to others). The disclosure of confidential information in the public interest is only permissible where there are exceptional circumstances that justify overruling the right of the individual to confidentiality because this has to be balanced against the greater societal interest. Decisions about the public interest are complex and must take account of the potential harm that disclosure may cause and the interest of society in the continued provision of confidential health services (for more information see, Department of Health, 2010, Confidentiality: NHS Code of Practice Supplementary Guidance: Public Interest Disclosures, DH, London).

If you make the decision to disclose confidential information, you must, in each case:

(i) inform the patient beforehand as far as this is reasonably practical; (ii) make clear to the patient what information is to be disclosed, the reason for the disclosure and the likely consequence of the disclosure; (iii) disclose only the information that is relevant; (iv) make sure that the person you give the information to holds it on the same terms as those to which you are subject; (v) record in writing the reasons for the disclosure, to whom it was made, the information disclosed and the justification for the disclosure. In certain circumstances you will not be able to tell the patient before the disclosure takes place. Such as when, for example, the likelihood of a violent response is significant, or informing a potential suspect in a criminal investigation might allow them to evade custody, destroy evidence or disrupt an investigation. If the patient is not told before the disclosure takes place, you should record in writing the reasons why it was not reasonably practical to do so.

That record should be written as soon as possible to be contemporaneous and kept thereafter in a safe and secure place.

GDPR May 2018-

Our policy was updated to include our Privacy Policy statement in keeping with GDPR changes in May 2018 and to include ongoing responsibilities of our staff members and practitioners.

At SANDS Private Health clinic, we obtain personal data which includes 'sensitive' personal data from our patients at their first booking and onwards. The points below outline how our clinic runs and particularly relates to the updated GDPR from May 2018 informing you of what data we store on our patients and staff as well as how and why we obtain and store it as well the key requirements all staff are expected to maintain under this policy.

• We take information off patients to create the person as a patient and file number on our computerised booking system and to create an individual patient card. We store the patient's full name, date of birth, full address, contact details/email address to allow us to be able to individually identify our patients for taking future bookings and carrying out future treatments. Each patient is given a unique patient ID number when they are first input to our system so if they would like to know this number so that they can use this for future bookings to anonymize themselves then this is possible, please let reception staff know.

• We also often gather further sensitive data such as GP details and health records/problems on our patients to allow us to book them in with the correct practitioner and to complete relevant further paperwork, for instance consent forms to be released to a third party to allow for further investigation. The practitioner you see at the clinic then also takes further details on case and medical/health history, lifestyle factors to allow them to thoroughly assess and examine the area of complaint as well as take informed consent to allow them to obtain this information and to treat you. All information obtained is stored and backed up on our secure computerised patient booking system. This is currently Practice Pal, which is also compliant with current GDPR legislation.

• Any patient paperwork is stored away in a locked filed cabinet as well as scanned on to our computerised system for further back up. This includes any correspondence to other practitioners. No personal data on any of our patients is left unsupervised or seen by anyone other than staff members at our clinic.

• We currently keep our patient records in line with the General Chiropractic Council Legislation which means we maintain patient records and store them safely and in good condition for eight years from the date of the patient’s last visit to or if the patient is a child, until his or her 25th birthday, or 26th birthday if the patient was 17 at the conclusion of treatment. After this date all patient information is destroyed confidentially.

• We require written consent from our patients for both contact and treatment purposes. In the case of a child, parent/legal guardian consent is mandatory.

At any time a patient can ask to be removed from our mailing/contact system, please inform a member of staff. If a patient wishes their health care records at the clinic to be removed then we would ask this to be requested to us in writing so that we can further manage the request. We can treat patients with limited information such as name only as it is within a patient’s right to limit this information if they so wish but the consent for such treatment is compulsory along with all relevant medical and health history information and declaration of truth for this as this is compulsory to provide the correct health care need to the patient.

• We often need to contact our patients for follow up appointments or for further information on their pain of complaint. For instance, sometimes to refer them back to their GP for further investigation. Our receptionist at your first visit will explain to you the relevant areas of consent on our paperwork that is needed to allow us to fulfil this. If for whatever reason a patient does not wish to be contacted then please complete the relevant part on the new patient paperwork, which will then also be transferred to the individual patient account on our computerised system to ensure they are not contacted. Patients can at any time make us aware that they wish to do this so we can then update our records and remove their contact details.

• If a patient pays for a treatment via a card transaction such as visa or credit card, then we store and keep the merchant payment receipts in line with VISA financial guidelines which is for 13 months. The same computerised booking system stores our financial records but no bank or card details are stored on this. A payment log is often also given to the individual practitioners at the end of the working day so that they have record of payments for their own accounts. But we keep the card receipts locked away the same as our patient records and they too are then destroyed confidentially.

• We lock all computer screens if leaving a patient in the room to ensure confidentiality is maintained.

• If looking at the diary system to book a patient in then the screen is privatised to ensure confidentiality.

• Please be aware that SANDS Private Health Clinic Ltd is primarily a room rental business, therefore all our practitioners work on a self-employed basis, but we ensure that all our practitioners are insured and fully qualified in their relevant field. However, the individual practitioner a patient sees is responsible for their ongoing patient management and treatment. If a patient requires further information on their individual treatment, then they must ask to speak to the relevant practitioner but you must also make one of the Director's aware of the circumstances.


Data Protection Breaches

All staff at SANDS Private Health Clinic are required to abide by our Data Protection/Confidentiality policy. Any reported or suspected breaches of data protection are thoroughly investigated.

If a breach is identified the relevant staff member, patient and ICO are informed. If a situation, which could result in a breach of confidentially, is found then the clinics disciplinary procedures will be followed.

General Data Protection Regulation (GDPR)

On May 25th 2018, the GDPR takes effect.

It sets a new bar for global privacy rights, security, and compliance. The GDPR extends to all companies which process data of EU citizens – in the UK it will replace the Data Protection Act (DPA) and will be unaffected by Brexit. It ushers in expanded rights to individuals and their data, placing greater obligations on businesses and other entities that process personal data.

What is personal data?

“Any information relating to an identified or identifiable person (‘data subject’)”. This is information that could be used, on its own or in conjunction with other data, to identify an individual. Sensitive personal data, such as health data, will require even greater protection and data relating to children even more so. Subsequently, we need to be aware of the new requirements in the GDPR. In particular:

1) Enhanced rights for data subjects

i)  Right to be forgotten

ii) Right of access

iii) Right to object

iv) Right to portability

v) Right to rectification

vi) Right to transparency

2) Stricter consent requirements - consent is required for any contact outside of our contractual relationship with the data subject

3) Stricter processing requirements - we need to clarify to people how and why we store their data.

Our approach. 

Such is the nature of our work, we often collect personal and sensitive data. To explain how we will do this in compliance with the GDPR, we have set out our commitments against the six principles of the GDPR:

1. Lawfulness, fairness, transparency: We have a lawful basis for processing individuals’ data. We ensure they are aware of this.

2. Purpose limitation: The data we collect is specific to a client’s matter, or they have opted-in to marketing.

3. Data minimisation:  We only collect the data we need, when we need it.

4. Accuracy: To the best of our knowledge, we make sure the data we hold is correct.

5. Storage limitation: We store data for as long as required by our policies or regulators.

6. Integrity and confidentiality: We have appropriate measures in place to ensure security.

The penalties for not doing so are substantial, up to 20 million euros or 4% of turnover (whichever is greater).



A breach can be any number of things. Any dissemination of an individual’s personal information can be classed as a breach, from leaving documents on the bus to having your laptop stolen. It is very important that you report a data breach to the responsible individual if you suspect a breach has occurred. This is so the risk can be mitigated and reported as soon as possible. The GDPR stipulates a maximum of 72 calendar hours to report a breach.

Subject Access Requests

If you receive a ‘subject access request’ (SAR) from a data ‘subject’, forward it immediately to the responsible person. A SAR can take any form, whether verbal or written, but any such request for access to a subject’s information needs to be dealt with in 30 days/1 month. The process involves bringing together data from a number of sources, involving a number of people.

Any questions, please contact the person responsible for GDPR.



Complaints Policy

At SANDS Private Health Clinic, we strive to offer the best service to all our customers. If at any time you are dissatisfied with any aspect of our services then please do inform us.

We are constantly looking for ways to improve our services and appreciate all feedback. Therefore, please feel free to leave any feedback, which is of course confidential at all times on the feedback cards below and post them in the feedback box provided.

If you have, any general complaints about our services then please make our reception staff aware and they will try their best to help. If however, they or you feel management should deal with your issue and you wish to place a grievance against a member of staff, then please contact the Staff manager and partner of SANDS Private Health Clinic; Stephanie Smith on:

Managers@sands-clinic.co.uk or in writing:

FAO Stephanie Smith,

SANDS Private Health Clinic,

 67 Talbot Road,

Talbot Green,

 CF72 8AE.

Or telephone and request a call back from us on 01443 238232, we will endeavour to respond within 24 hours.

Kind Regards,

SANDS Private Health Clinic

67 Talbot Road, Talbot Green
CF72 8AE Pontyclun

Tel.: 01443 238232
E-Mail: enquiries@sands-clinic.co.uk