top of page
lines.png

Privacy Policy

IMPORTANT — YOUR RIGHTS MATTER 

This Privacy Policy explains how MedFocus Photography collects, uses, stores, and protects your personal data, including sensitive clinical photographs and health information. As a client, you have the right to access, correct, and request deletion of your data. Please read this policy carefully. If you have any questions, contact us at info@medfocusphotography.co.uk.

1. Who We Are 

MedFocus Photography is a clinical photography business based in Medway, Kent, and London. We provide professional clinical photography services to GP surgeries, private clinics, law firms, care homes, and other healthcare providers in the Medway, Kent, and London.

 

For the purposes of UK data protection law, MedFocus Photography is the Data Controller for personal data collected in connection with our clinical photography services.

CONTACT DETAILS

Business name: MedFocus Photography

Service address: Medway, Kent, ME7

Email: info@medfocusphotography.co.uk

Phone: 07552 690721

ICO Registration Number: ZC133306 

2. What Information We Handle

The personal data we collect depends on the engagement. We do not collect any personal data that is not necessary for the provision of our clinical photography services. 

2.1 Special category (health) data 

  • Clinical, dental, dermatological, surgical, wound, aesthetic and medico-legal photographs of identifiable or partially identifiable individuals.

  • Dermatoscopic images captured using the DermLite dermatoscope.

  • Image metadata — camera, date, time, settings, and where relevant to the location of capture.

  • Notes accompanying the image — anatomical area, view, treatment context, scale references, and (for medico-legal work) chain-of-custody records.

2.2 Patient identifying information (when supplied to us)

  • Patient identifier or reference number issued by the instructing clinic or law firm.

  • First name, last name, date of birth or age, and gender — only where required for the record.

  • Written informed consent forms signed by the patient or by a person with parental responsibility.

  • Session date, location, and clinician referral details.

 

2.3 Information about clinic, healthcare and law-firm clients

  • Name and job title of the referring clinician or practice manager.

  • Name and address of the Hospital, GP practice, clinic, care home or law firm.

  • Business contact details — work email addresses, work phone numbers, billing addresses.

  • Service agreements, instructions, invoices, and payment records.

 

2.4 Information about website visitors and enquirers

  • Information you supply through our enquiry form or by emailing info@medfocusphotography.co.uk, such as your name, email address, telephone number, organisation details, and the content of your enquiry.

  • Standard server log information — including IP address, browser type, device information, date and time of access, referring website, and pages visited — held by our website host for security, website performance monitoring, and analytics purposes.

 

3. How We Obtain Your Information  

  • Directly from instructing clinics, hospitals, dental practices and law firms when they engage us.

  • Directly from clients we photograph and from people with parental responsibility for child clients.

  • Directly from you when you contact us by email, phone, or our website.

  • From publicly available professional sources (for example, a clinic's or law firm's website) where we verify the identity of a business client.

4. Why We Use Your Information and Our Legal Basis 

Clinical photographs are special category data under UK GDPR because they relate to health. We only process client images and personal data where we have a valid lawful basis and an appropriate condition for processing special category data.

 

4.1 Clinical record and care delivery 

  • Purpose: to capture, edit, and securely deliver clinical or surgical photographs to the instructing clinician for use in the patient’s medical record and ongoing care. This includes wound monitoring, before-and-after documentation, and support imaging such as dermatoscopy or teledermatology.

  • Lawful basis: legitimate interests — providing the photography service commissioned by the clinic. For Hospital work, the healthcare provider may rely on public task.

  • Special category condition: health or social care purposes, carried out under a duty of confidentiality.

4.2 Medico-legal evidence 

  • Purpose: to capture and preserve photographic evidence for legal proceedings under instruction from a law firm, the patient, or a court. This may include documenting personal injury, clinical negligence, safeguarding concerns, or other matters where photographs may be required as evidence.

  • Lawful basis: legitimate interests — providing photographic evidence for legal claims, or compliance with a legal obligation where required by a court order.

  • Special category condition: necessary for the establishment, exercise, or defence of legal claims.

4.3  Marketing, portfolio and social media use of identifiable images

  • Purpose: to use before-and-after or portfolio images of clients in our marketing materials, on our website, or on social media (such as Instagram), only where the patient has given specific, informed, written consent for this exact purpose.

  • Lawful basis: explicit consent.

  • Special category condition: explicit consent.

Important: Marketing consent is always separate from clinical consent. Consent for clinical records does not permit marketing use. Marketing consent clearly states where the images will be used (for example our website and Instagram) and can be withdrawn at any time. We only use images where the patient has signed our marketing-specific consent form.

4.4  Business administration

  • Purpose: managing enquiries, contracts, invoicing, accounts, taxes, insurance, and supplier relationships.

  • Lawful basis: contract and legal obligation, including financial and tax record-keeping requirements.

4.5  Website security and analytics

  • Purpose: operating, securing, monitoring, and improving our website.

  • Lawful basis: legitimate interests.

5. Consent and How We Ask for It

Before any clinical photographs are taken, MedFocus Photography ensures that: 

  • The client (or their authorised representative) has given explicit, informed written consent for their photographs to be taken. 

  • The client has been clearly informed of the purpose for which the photographs will be used. 

  • The client has been informed of their right to withdraw consent at any time. 

  • A signed consent form is obtained and securely stored prior to photography. 

  • Where the patient is a child or lacks capacity, consent is obtained from an appropriate legal guardian or representative in accordance with the Mental Capacity Act 2005. 

 

Consent is captured using a GDPR-compliant digital consent platform, and we follow the Institute of Medical Illustrators (IMI) layered consent model: 

  • Clinical record — images used only in your medical record and for your care. 

  • Internal teaching and audit — sharing within the clinical team. 

  • External teaching and publication — for example, conferences and journals. 

  • Marketing, advertising, and social media — including before-and-after images on websites and Instagram. 

  • Medico-legal — for use in legal proceedings. 

You may consent to one tier without consenting to others. 

Right to withdraw consent 

You may withdraw consent at any time by contacting us at info@medfocusphotography.co.uk. Withdrawal does not affect the lawfulness of processing carried out before your withdrawal. We will stop new uses of your image immediately and remove it from any channel we control as soon as reasonably practicable. We cannot recall material that has already been printed or distributed by third parties (for example, a published journal article). 

Children and young people 

For child clients, consent is given by a person with parental responsibility, with assent from the child where they are old enough to understand. From age sixteen, a young person may consent for themselves. We re-confirm consent for any continued marketing use of childhood images when the person reaches adulthood, where it is reasonable to do so. 

 

6. How We Store and Protect Images 

6.1 Storage systems 

  • All clinical images are stored securely on Proton Drive, an end-to-end encrypted, GDPR-compliant cloud storage platform provided by Proton, a privacy-focused company based in Switzerland. Data is protected by strong European privacy laws, with secure infrastructure located in Switzerland and Germany. 

  • Access to clinical files is restricted to authorised personnel only and protected by strong unique passwords and two-factor authentication. Images are encrypted both in transit and at rest to maintain confidentiality and security. 

  • Physical copies of consent forms, where used, are stored in a locked and secure location at our business address. 

 

6.2 Local handling 

  • Images are transferred from camera card to encrypted device storage as soon as practicable after capture. 

  • Camera memory cards are wiped after confirmed transfer. 

  • All workstations and laptops used to handle patient images use full-disk encryption (BitLocker) and are kept up to date with security patches. 

  • Auto-backup to consumer cloud services (iCloud Photos, Google Photos, OneDrive personal) is disabled on every device used for clinical capture. 

  • Personal devices and personal email are never used to store, send, or share patient images. 

 

6.3 Access controls 

  • Access to clinical images is strictly limited to MedFocus Photography and the referring clinician or healthcare provider. 

  • Images are never shared publicly or used for marketing without explicit written consent. 

 

6.4 Delivery to clinics 

Images are delivered to the instructing clinic by encrypted, password-protected transfer. The password is sent via a separate channel from the file itself. Where the clinic uses its own secure image management system or PACS, we deliver directly into that system on the clinic's instructions. 

 

6.5 International transfers 

Data is processed in the UK. Where any transfer outside the UK is necessary, we rely on UK adequacy regulations, the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, with documented safeguards. 

 

7. Who We Share Your Information With 

We do not sell, rent, or trade personal data, and we do not share client images with advertisers or social-media platforms for any purpose other than those listed below without your specific consent. We share data only in these limited circumstances: 

  • The instructing clinic, hospital, dental practice or surgeon — for the client's medical record and care. 

  • The instructing law firm or solicitor — for medico-legal cases, with chain-of-custody documentation. 

  • Our IT and storage suppliers, who act as our data processors under a written contract — currently Proton, and our website host. 

  • Our accountant and HMRC — for invoicing and tax records, but not client images. 

  • A court, regulator, the police, coroner or safeguarding authorities — where we are legally required to share specific images, or where a valid court order or statutory power applies. 

  • A successor business — if MedFocus Photography is sold, restructured, or transferred to a successor sole trader, your information may be transferred under equivalent contractual safeguards. We will tell affected clients and clients where this has a material effect on them. 

All third-party data processors used by MedFocus Photography have been assessed for UK GDPR compliance. 

8. How Long We Keep Your Information 

8.1 Client images held as a data processor 

Where we hold images on behalf of a clinic, we follow the clinic's retention instructions, set out in our service agreement. We retain images only for as long as needed to deliver the service plus a short reconciliation period, after which images held by us are deleted unless the clinic instructs otherwise. 

 

8.2 Client images held as a data controller 

  • Adult clinical and aesthetic records — retained for a minimum of eight years from the date of capture, based on professional and industry best practice for clinical record-keeping. 

  • Records of children — until the client's twenty-fifth birthday (twenty-sixth if seventeen at the time of capture). 

  • Medico-legal images — retained for the duration of the legal case plus the applicable limitation period, typically six years from the cause of action for personal injury claims, and longer where required for cases involving minors or allegations of fraud. 

  • Images used for marketing — retained for as long as valid marketing consent is in place and the images continue to be used. A record of the consent itself is kept for a minimum of three years after consent is withdrawn. 

 

8.3 Business records 

  • Contracts, invoices, accounting records — six years from the end of the relevant accounting period (HMRC requirement). 

  • Enquiries that did not lead to a booking — twelve months. 

 

9. Your Rights 

Under the UK GDPR you have the following rights, which you may exercise free of charge in most cases: 

  • Right of access — a copy of the personal data we hold about you, including images, normally within one calendar month of your request. 

  • Right to rectification — correction of inaccurate or incomplete information. 

  • Right to erasure — deletion in certain circumstances. Note that clinical and medico-legal images we hold under a legal obligation, public-task basis, or for the establishment or defence of legal claims may not be erasable on request. 

  • Right to restrict processing — a temporary pause on use while a concern is investigated. 

  • Right to object — to processing based on legitimate interests, including direct marketing. 

  • Right to data portability — for data we process by automated means on the basis of consent or contract. 

  • Right to withdraw consent — at any time, where consent is the legal basis. Withdrawal does not affect processing already carried out lawfully. 

  • Rights related to automated decision-making — we do not use your information for solely automated decisions or profiling. 

 

To exercise any of these rights, please email info@medfocusphotography.co.uk. We will normally need to confirm your identity before responding and will respond within one calendar month. Where the instructing clinic is the data controller for your image, we will pass your request to them and let you know. 

 

10. Cookies and Our Website 

Our website uses only those cookies necessary for it to function, and analytics cookies if you give consent through our cookie banner. You can change your cookie preferences at any time. Any website operated by MedFocus Photography will comply with the Privacy and Electronic Communications Regulations (PECR) and UK GDPR requirements for cookie consent. 

11. Marketing Communications 

We do not send marketing emails to clients. We may send marketing communications to clinic and law-firm contacts on a soft opt-in basis, with an unsubscribe link in every message, in line with PECR and ICO direct marketing guidance. 

12. Children 

We photograph child clients only when instructed to do so by their clinical care provider, with consent from a person with parental responsibility and assent from the child where appropriate. Our website is not directed at children, and we do not knowingly collect personal information from children through it. 

13. Data Breaches 

If we become aware of a personal data breach affecting your information, we will assess the risk and, where there is a likely risk to your rights and freedoms, notify the Information Commissioner's Office within seventy-two hours. Where the risk is high, we will also notify you directly without undue delay. We keep an internal log of every breach, even those that do not require notification. 

 

14. Complaints 

If you have a concern about how we handle your personal data, please tell us first by emailing info@medfocusphotography.co.uk. We will look into it and respond within one calendar month. 

  • You also have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk. 

 

15. Clinical Photography Standards 

MedFocus Photography operates in accordance with the standards and guidelines set by: 

  • The Institute of Medical Illustrators (IMI) — professional standards for clinical photography. 

  • The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. 

  • The Mental Capacity Act 2005 — for clients who may lack capacity to consent. 

  • The Data Security and Protection Toolkit standards. 

 

All clinical photography is carried out with full regard for your dignity, privacy, and the minimum necessary exposure of the body. You are always informed of the purpose of photography and have the right to decline at any time. 

16. Changes to This Policy 

We review this policy annually and whenever there is a change in law, regulator guidance, or our processing activities. The version number and effective date at the top of this document show the most recent revision. We keep previous versions on file and will give clinics, law-firm clients, and (where relevant) clients reasonable notice of any material change. 

17. Contact 

MedFocus Photography 

Service address: Medway, Kent, ME7 3DR 

Email: info@medfocusphotography.co.uk 

Phone: 07552 690721 

ICO registration number: ZC133306 

End of policy.  
Effective date: 06/05/2026   |   Version 1.0 

Subscribe to get email update

MedFocus PHOTOGRAPHY

07552 690721

info@medfocusphotography.co.uk

 

© 2026 MedFocus Photography. All right reserved.

ICO Registration No: ZC133306

IMI Membership No: 7234

AHCS Registration No: 72690

DBS: Enhanced Check Certified

bottom of page