Next Steps Eating Disorder Clinic

Privacy Policy

Next Steps Eating Disorder Clinic

Privacy Policy

1. Introduction

Next Steps Eating Disorder Clinic is committed to protecting your personal data and respecting your privacy.

This policy explains how we collect, use, store, and protect your information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Who We Are

Next Steps Eating Disorder Clinic is a collective of independent practitioners providing community-based eating disorder support, including psychological and dietetic care.

Each practitioner acts as an independent Data Controller for the personal data they collect and process as part of your care.

Where care is delivered collaboratively, practitioners may share relevant information to ensure safe, coordinated, and effective treatment.

Contact Details (General Enquiries):
 Email: hello@nextstepsclinic.com

3. What Information We Collect

We collect and process information necessary to provide safe and appropriate care.

Personal Information

  • Name, date of birth, address, and contact details
  • NHS number (where relevant)
  • GP and/or referrer details
  • Emergency contact information

Special Category Data (Health Information)

  • Medical and mental health history
  • Eating disorder diagnosis, symptoms, and behaviours
  • Physical health data (e.g. weight history, blood results where shared)
  • Risk-related information (including safeguarding concerns where relevant)
  • Session notes, care plans, and progress records

4. How We Use Your Information

We use your information to:

  • Provide assessment, treatment, and ongoing care
  • Monitor clinical progress and risk
  • Develop and review care plans
  • Communicate with you regarding appointments and treatment
  • Liaise with the relevant professionals involved in your care
  • Maintain accurate clinical and administrative records
  • Meet legal, ethical, and professional obligations

5. Lawful Basis for Processing

We process personal data under:

  • Article 6(1)(b) – Performance of a contract (delivery of care)
  • Article 6(1)(c) – Legal obligations
  • Article 6(1)(f) – Legitimate interests (safe and effective service delivery)
  • Article 9(2)(h) – Provision of health or social care

6. Information Sharing and Care Coordination

We treat your information as confidential and only share it where necessary.

Information may be shared:

  • Between practitioners within the Clinic involved in your care
  • With your GP, referrer, or other healthcare professionals (with your consent where appropriate)
  • With family members or others in your social support network (at your request and with consent where appropriate)
  • As part of structured care coordination (e.g. MDT-style working)
  • Where required by law
  • Where there is a risk of harm, safeguarding concern, or clinical necessity


Where services are commissioned or referrals are made, we may provide structured progress updates and discharge summaries to the referring professional or organisation.

We aim to be transparent about information sharing and will inform you wherever possible.

7. Safeguarding and Risk Management

Due to the nature of eating disorders, there may be circumstances where we need to share information without consent to protect your safety or the safety of others.

This may include:

  • Significant deterioration in physical or mental health
  • Identified risk of harm (including self-harm or suicide risk)
  • Safeguarding concerns involving children or vulnerable adults

In such cases, information may be shared with appropriate services, including GPs, emergency services, or safeguarding teams.

Our approach prioritises the least necessary disclosure while ensuring safety.

8. Remote Care and Digital Communication

The Clinic may deliver services remotely via telephone or secure video platforms.

While we take reasonable steps to use secure systems:

  • No digital platform can be guaranteed 100% secure
  • You are responsible for accessing sessions in a private and safe environment, where possible

We may also communicate via email, phone, or secure messaging for administrative and clinical purposes.

9. Data Storage and Security

We implement appropriate technical and organisational measures, including:

  • Secure electronic record systems
  • Password-protected devices and encrypted storage (where applicable)
  • Restricted access to personal data
  • Use of secure communication tools where possible

Only authorised practitioners involved in your care can access your information.

10. Data Retention

Clinical records are retained in line with UK healthcare guidance, typically:

  • 7–8 years after discharge (adults)
  • Longer where required for safeguarding or legal reasons

11. Your Rights

You have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request erasure (where applicable)
  • Restrict or object to processing
  • Request data portability

These rights may be limited where information is required for clinical, legal, or safeguarding purposes.

12. Consent and Withdrawal

Where consent is used as a basis for sharing information, you may withdraw it at any time.

Withdrawal may impact our ability to coordinate care safely.

13. Complaints

If you have concerns about how your data is handled, please contact us in the first instance.

You may also contact the Information Commissioner’s Office (ICO) – the UK regulator for data protection.

14. Updates to This Policy

This Privacy Policy may be updated periodically to reflect changes in legal, regulatory, or service delivery requirements.