Privacy Policy

Last Updated May 2026

1. Who We Are

Twenty Six Clinic is a specialist foot and ankle surgical practice led by Maurice O’Flaherty, a Consultant Foot & Ankle Surgeon practising across the UK and Ireland. We are committed to protecting the privacy and confidentiality of everyone who visits our website or seeks care through our practice.

For the purposes of data protection law, Twenty Six Clinic is the data controller responsible for personal data collected through this website. This means we determine how and why your personal data is used, and we are accountable for handling it lawfully and securely.

We operate in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and — for patients in the Republic of Ireland — the EU General Data Protection Regulation (EU GDPR) and the Data Protection Acts 1988–2018.

Data protection enquiries: clinic@twentysixclinic.com

2. What Personal Data We Collect

We collect only the information necessary to provide you with high-quality clinical care and a responsive service. This may include:

Information you give us directly:
– Full name, date of birth, and contact details (address, phone number, email)
– Details of your foot or ankle condition, symptoms, or treatment history
– GP name and practice, and details of any referring clinician
– Private medical insurance provider and membership number
– Any other information you choose to include in an enquiry or contact form

Special category (health) data:
Your medical information is classified as special category data under UK/EU GDPR and is treated with the highest level of care. We collect and process it only to the extent necessary for your clinical assessment and treatment.

Data collected automatically:
When you browse our website, we may collect technical data such as your IP address, browser type, device type, pages visited, and how you arrived at our site. This is used solely to maintain and improve the website experience.

3. Why We Collect It & Our Legal Basis

We use your personal data for the following purposes:

– Appointment management — responding to enquiries, scheduling consultations, and sending reminders
– Clinical care — assessing your condition, forming a treatment plan, and managing your ongoing care
– Coordination with other clinicians — sharing relevant information with your GP, anaesthetist, physiotherapist, or other treating specialists on a need-to-know basis
– Insurance and billing — obtaining pre-authorisation from insurers and processing payments
– Legal and regulatory compliance — meeting obligations imposed by healthcare regulators, tax authorities, and professional bodies
– Website improvement — using anonymised analytics to understand how our site is used

Our legal bases under UK/EU GDPR:

| Purpose | Legal Basis |

4. Who We Share Your Data With

We do not sell, rent, or trade your personal data. We share it only where necessary, and only with parties who are bound by appropriate confidentiality and data protection obligations. This may include:

– Hospitals and treatment facilities where your surgery or investigations take place
– Your GP and referring clinician, to ensure continuity of care
– Other members of your clinical team (e.g. anaesthetists, physiotherapists, radiologists)
– Private medical insurers, for pre-authorisation and claims processing
– IT and software providers who support our practice management, secure communications, or website — all bound by data processing agreements
– Healthcare regulators such as the GMC, HCPC, CQC (England), or HIQA (Ireland) where required
– Legal or financial advisers, where strictly necessary for the operation of the practice
– Law enforcement or public authorities, where we are legally required to disclose information

In all cases, we share the minimum amount of data necessary and take steps to ensure it is handled securely.

5. How Long We Keep Your Data

We retain personal data only as long as necessary for the purpose for which it was collected, and in accordance with legal and professional requirements:

– Adult patient records — minimum 8 years from the date of last treatment (UK guidance); equivalent periods apply under Irish regulations
– Children’s records — retained until the patient’s 25th birthday, or 26th if aged 17 at the time of last treatment
– Financial and billing records — 7 years, in line with HMRC requirements
– Marketing consent records — until consent is withdrawn, plus a short administrative period
– Website enquiries with no appointment — up to 2 years, or as required for follow-up

When data is no longer required, it is securely deleted or irreversibly anonymised.

6. Your Rights

You have the following rights under UK GDPR (and EU GDPR for patients in Ireland). These rights are not absolute in all cases — for example, some are subject to our legal obligation to retain healthcare records — but we will always respond to requests honestly and promptly.

– Right of access — request a copy of the personal data we hold about you
– Right to rectification — ask us to correct inaccurate or incomplete data
– Right to erasure — request deletion of your data where there is no lawful reason to retain it
– Right to restriction — ask us to limit how we use your data in certain circumstances
– Right to data portability — receive your data in a structured, portable format
– Right to object — object to processing based on legitimate interests or for direct marketing
– Right to withdraw consent — where we rely on your consent, you may withdraw it at any time without affecting anything that has already taken place

To exercise any of these rights, please contact us at clinic@twentysixclinic.com. We will respond within one calendar month.

If you are not satisfied with how we have handled your data, you have the right to raise a complaint with the relevant supervisory authority:

– UK — Information Commissioner’s Office (ICO): [ico.org.uk](https://ico.org.uk) | 0303 123 1113
– Ireland — Data Protection Commission (DPC): [dataprotection.ie](https://www.dataprotection.ie) | +353 (0)57 868 4800

7. Cookies

Our website uses cookies — small files stored on your device — to ensure it works correctly and to help us understand how it is used.

– Strictly necessary cookies are essential for the site to function and do not require your consent
– Analytics cookies (e.g. Google Analytics) help us understand visitor behaviour in aggregate; these are only activated with your consent
– Preference cookies remember choices you have made on the site

You will be asked for your cookie preferences on your first visit. You can update or withdraw your consent at any time via the cookie settings link in our website footer, or by adjusting your browser settings. Please note that disabling certain cookies may affect the functionality of the site.

8. Security

We take the security of your personal data seriously. Our safeguards include:

– SSL/TLS encryption for all data transmitted through our website
– Secure, encrypted storage of clinical and personal records
– Role-based access controls so that only those with a legitimate need can access patient data
– Regular review of our systems, practices, and staff training

In the event of a personal data breach that is likely to pose a risk to your rights or freedoms, we are legally required to notify the relevant supervisory authority within 72 hours, and to inform you directly where the risk is high.

9. Changes to This Policy

We review this Privacy Policy periodically and update it to reflect changes in our practice or applicable law. Any updates will be posted on this page with a revised date at the top. Where changes are significant, we will take reasonable steps to bring them to your attention. Continued use of our website following an update constitutes acceptance of the revised policy.

10. Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please get in touch:

Twenty Six Clinic
[Address]
clinic@twentysixclinic.com