Privacy Policy
How we collect, use, and protect your personal information — in accordance with UK GDPR and the Data Protection Act 2018.
UK GDPR Compliant
We process your data in accordance with the UK General Data Protection Regulation and the Data Protection Act 2018.
Secure & Confidential
All health records are stored securely with NHS-grade confidentiality standards.
No Data Selling
We never sell or commercially share your personal information with third parties.
Your Rights Protected
You have full rights to access, correct, and request deletion of your data.
Last Updated: March 2026
This policy applies to Gloucester Travel Clinic, operated by Brookfield Pharmacy and Hucclecote Pharmacy. It explains your rights and our obligations under UK GDPR, the Data Protection Act 2018, and relevant NHS and GPhC guidance.
1. Who We Are
Gloucester Travel Clinic is operated by Brookfield Pharmacy (GPhC registration: FGQ38) and Hucclecote Pharmacy (GPhC registration: FG509), collectively referred to as 'we', 'us', or 'our' in this Privacy Policy.
We are the data controllers for the personal information we process in connection with our travel health and pharmacy services. We are registered with the Information Commissioner's Office (ICO) as required under UK GDPR and the Data Protection Act 2018.
Our registered pharmacies are located at 5 Brookfield Road, Hucclecote, Gloucester, GL3 3HA and 7 Glenville Parade, Hucclecote, Gloucester, GL3 3ES.
2. Information We Collect
We collect and process the following categories of personal information when you use our services:
Identity and contact information: your full name, date of birth, address, telephone number, and email address.
Health information (special category data): your medical history, current medications, allergies, vaccination records, travel itinerary details, and any relevant health conditions required to provide safe and appropriate travel health advice, vaccinations, and prescription medicines.
Payment information: billing details necessary to process payments for private services. We do not store full card details; payments are processed securely by our payment provider.
Website usage data: when you visit our website, we may collect anonymised technical data such as your IP address, browser type, and pages visited through cookies and analytics tools. This data does not identify you personally.
Communications: records of correspondence, consultation notes, and enquiries you submit through our website, by telephone, or in person.
3. How We Use Your Information
We use your personal information for the following purposes:
To provide healthcare services: processing your personal and health information is necessary for the provision of medical care, including travel health consultations, administration of vaccines, prescribing antimalarials, and dispensing medication. The legal basis is Article 9(2)(h) UK GDPR — processing for the purposes of preventive or occupational medicine and the provision of health care.
To manage appointments and communications: confirming, amending, or cancelling bookings and sending relevant health reminders. Our legal basis is contract performance and legitimate interests.
To fulfil legal and regulatory obligations: as GPhC-registered pharmacies, we are required by law to maintain accurate dispensing and prescribing records, report to NHS England where applicable, and comply with professional guidance from organisations such as NaTHNaC, MHRA, and Public Health England.
To process payments: where services are chargeable, we process billing information on the basis of contract performance.
To improve our services: anonymised and aggregated data may be used to analyse and improve the quality of our services. No identifiable data is used for this purpose.
5. How Long We Keep Your Data
We retain personal data only for as long as necessary for the purposes described in this policy and in accordance with NHS and GPhC record retention guidelines.
Patient health records (including vaccination and consultation records): retained for a minimum of 8 years from the date of last treatment in line with NHS guidance, or until the patient's 25th birthday if the record relates to a child.
Prescription and dispensing records: retained for 2 years in accordance with Medicines Act requirements.
General enquiry and contact data: retained for up to 12 months after last contact, unless a longer retention period applies.
Financial records: retained for 6 years in accordance with HMRC and Companies Act requirements.
After the applicable retention period, data is securely deleted or anonymised.
6. Your Rights Under UK GDPR
As a data subject under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights:
Right of access: you may request a copy of the personal data we hold about you (Subject Access Request). We will respond within one calendar month.
Right to rectification: you have the right to request correction of inaccurate or incomplete personal data.
Right to erasure ('right to be forgotten'): you may request deletion of your data where we no longer have a lawful basis to retain it. Note that health records subject to statutory retention obligations cannot always be deleted on request.
Right to restriction: you may request that we limit how we use your data in certain circumstances.
Right to data portability: where processing is based on consent or contract performance, you may request a structured, machine-readable copy of your data.
Right to object: you may object to processing based on legitimate interests or for direct marketing purposes.
Rights related to automated decision-making: we do not make solely automated decisions that have a significant effect on you.
To exercise any of these rights, please contact us using the details in section 9. We will respond within one month of receiving your verified request. You will not be charged for making a request unless requests are manifestly unfounded or excessive.
7. Data Security
We take the security of your personal data seriously. We implement appropriate technical and organisational measures to protect your information against unauthorised access, disclosure, alteration, or destruction.
These measures include: role-based access controls, encrypted storage of electronic records, secure NHS mail for health-related email communications, password-protected systems, and staff training on data protection and confidentiality obligations.
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, inform affected individuals without undue delay.
9. Contact Us & How to Complain
If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have a concern about how we handle your data, please contact us:
Brookfield Pharmacy: 5 Brookfield Road, Hucclecote, Gloucester, GL3 3HA · Tel: 01452 618377 · Email: pharmacy.FGQ38@nhs.net
Hucclecote Pharmacy: 7 Glenville Parade, Hucclecote, Gloucester, GL3 3ES · Tel: 01452 616906 · Email: pharmacy.FG509@nhs.net
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent supervisory authority for data protection:
ICO Helpline: 0303 123 1113 · Website: www.ico.org.uk · Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
10. Updates to This Policy
We review and update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or regulatory guidance.
The current version will always be available on this page. Material changes will be communicated to patients with active records where required by law.
This Privacy Policy was last updated in March 2026.
