Private Patient Privacy Notice
The UK ME/CFS Specialist Clinic (Operated by DVSP ltd)
Last Updated: 30/01/2026
1. Introduction and Data Controller Details
This Privacy Notice explains how the UK ME/CFS Specialist Clinic (the "Clinic," "we," "us") collects, uses, stores, and retains your personal data and special category health data when you use our private, specialist virtual services.
The Data Controller:
Name: DVSP ltd (Trading as Prof Dmitry ME/CFS Clinic)
Company Registration No.: 12749933
Address: Piccadilly Business Centre, Blackett Street, Manchester, England, M12 6AE
Contact for Data Protection: Dr. Dmitry Pshezhetskiy
ICO Registration: ZC085078
We are committed to protecting your privacy and handling your data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. The Data We Collect and Why
We collect personal data primarily to provide safe, effective, and personalised medical care for your Myalgic Encephalomyelitis/Chronic Fatigue Syndrome (ME/CFS), fibromyalgia and Long Covid.
Category of Data | Specific Data Collected | Purpose of Collection (Why we need it) |
Identification & Contact Data | Name, date of birth, address, phone number, email address, NHS GP details. | To verify identity, book and manage appointments, and communicate results/follow-up instructions. Crucially, to obtain the necessary NHS GP referrals. |
Special Category Health Data | Symptoms, medical history (past and present), ME/CFS, fibromyalgia and Long Covid diagnosis and assessment results, treatment plans, clinical notes, referral letters. | To deliver high-quality, evidence-based specialist medical assessment and management for ME/CFS, fibromyalgia and Long Covid adhering to NICE Guidelines. |
Technical Data | IP address, device type, and connection metadata used during online consultations. | To ensure the security, integrity, and quality of the virtual consultation service. |
Financial Data | Payment history (we use third-party payment processors; we do not store full card details). | To process payments for services rendered. |
3. The Legal Basis for Processing Your Data
Under GDPR, we must have a lawful basis for processing your personal data. Because we process highly sensitive health data, we must meet two separate legal requirements:
A. Lawful Basis (Article 6 UK GDPR)
We rely on Contractual Necessity (Article 6(1)(b)) to manage your appointments and process payments, and Legitimate Interests (Article 6(1)(f)) for activities like clinical audit and service improvement.
B. Special Category Basis (Article 9 UK GDPR)
For your health data (Special Category Data), we rely on:
Provision of Health Care: Article 9(2)(h): Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
4. How We Store Your Data
Given the virtual nature of the Clinic, data is handled electronically:
Data Storage and Security
Aspect | Detail |
Storage Location | Patient data is stored securely on a compliant Electronic Patient Record (EPR) system used on the Data Controller's computer, separate from any NHS systems. |
Data Protection Oversight | The EPR system and your private data management are subject to the UK ME/CFS Specialist Clinic's general Information Governance policies and compliance framework, formalised via a Data Processing Agreement (DPA). |
Security Measures | Data is protected by appropriate technical and organisational measures, including strong encryption (at rest and in transit), password protection, and access controls, managed in line with the clinic's ICO registration and security procedures. |
Consultation Security | Online consultations use secure, encrypted video conferencing software to protect privacy during the session. |
5. Data Retention
We retain your personal data and medical records for the minimum period required by professional medical guidelines and law.
Retention Period: Medical records are generally retained for 10 years after the patient's last contact or the patient's death, whichever is later. This is in line with standard NHS/private health service requirements.
Deletion: Once the retention period expires, your records will be securely and permanently deleted from the EPR system.
6. Sharing Your Data
We will only share your data with third parties when necessary for your care or when legally obliged to do so.
Sharing for Direct Care: We will facilitate private referrals to relevant healthcare professionals (e.g., specialist physiotherapists, occupational therapists) where necessary, but only with your explicit consent.
Sharing for Audit/Oversight: Data may be shared (usually anonymised) with regulatory bodies (e.g., CQC) or used internally for clinical governance, appraisal, and revalidation processes (accountable to the Registered Manager of the GP Surgery).
Legal Obligation: We will disclose data if legally required, for example, under a court order or to comply with public health protection duties.
We do not share your private data with the NHS, unless required for continuity of care and with your explicit instruction/consent.
7. Your Rights as a Data Subject
Under UK GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact the Data Protection Contact listed in Section 1.
Right of Access: The right to request a copy of the personal data we hold about you.
Right to Rectification: The right to have inaccurate data corrected.
Right to Erasure (Right to be Forgotten): The right to request deletion of your personal data. Note that this right is heavily restricted for medical records due to the legal requirement for long-term retention.
Right to Restriction of Processing: The right to restrict the processing of your personal data in certain circumstances.
Right to Data Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format.
Right to Object: The right to object to processing where we rely on legitimate interests.
8. Complaints
If you have a complaint about how we handle your data, please contact Dr. Dmitry Pshezhetskiy in the first instance at admin@ukmecfsspecialist.co.uk.
If you remain dissatisfied, you have the right to lodge a complaint with the supervisory authority:
The Information Commissioner's Office (ICO):
Website: https://ico.org.uk/
Helpline: 0303 123 1113