Jenny Harmer (IBCLC) is registered with the Information Commissioner’s Office (ICO).
You can find further information at www.ico.org.uk.

If you are unhappy with how your personal data has been handled, you can contact me directly or lodge a complaint with the ICO.

1. Collection and use of personal data

Relevant personal data obtained during consultations, and via phone, text, email, Messenger and WhatsApp, will be recorded in your client record. Information is provided by the baby’s parent or carer with parental responsibility.

Your data is used to:

• Provide safe and effective care

• Maintain accurate clinical records

• Communicate with you (including follow-up)

• Arrange and process payment

• Fulfil our contract

Please note that some communication methods (e.g. WhatsApp, text, email) may carry a level of risk due to the technology used.

2. Storage of records (Splose)

Clinical records are stored securely using Splose, a GDPR-compliant practice management system. Splose acts as a data processor on my behalf.

Data is stored securely using encryption, password protection, and secure servers. Access is restricted to authorised users only.

Devices used to access records (e.g. laptop or phone) are password protected and secured.

3. Copies of records

A copy of your consultation notes may be provided to you electronically following your appointment.

4. Clinical record keeping

Records are maintained in line with the Nursing and Midwifery Council (NMC) Code, ensuring they are clear, accurate, and relevant.

Keeping detailed records supports continuity of care and demonstrates that care provided is appropriate, safe, and evidence-based.

5. Use of anonymised data

Anonymous information from your records may be used for:

• Clinical supervision

• Audit (local and national)

• Professional discussion with colleagues

• Service improvement and learning

No identifying information will be shared.

6. Lawful basis for processing

Your personal data is processed under the following lawful bases:

• Contract – to provide the service you have requested

• Legal obligation – to meet professional and regulatory requirements

• Legitimate interests – to ensure safe and effective care

• Consent – where required (e.g. sharing with other professionals)

Health data is processed under Article 9 UK GDPR as special category data for the provision of health care.

7. Data retention

Clinical records are retained for 25 years from the child’s date of birth, in line with professional guidance and indemnity requirements.
After this period, records will be securely deleted or destroyed.

8. Sharing information

With your consent, relevant information may be shared with other healthcare professionals (e.g. GP, Health Visitor, Midwife) to support your care.

If there are safeguarding concerns or risk of harm, information may be shared without consent in line with legal obligations.

9. Your rights

Under data protection law, you have the right to:

• Access your data

• Request correction of inaccurate data

• Request restriction or objection to processing

• Withdraw consent where applicable

Further information is available via the ICO website.

10. Insurers and legal processes

If a complaint or claim arises, relevant information may be shared with my insurer (Westminster Insurance) and legal advisors.

11. Payments

Payment-related data may be processed via bank transfer or third-party providers (e.g. card payment platforms or accounting software). These providers are responsible for their own data handling practices.

12. Access requests

Access to your data is free of charge. Please contact me via my website or email to make a request.