Data protection in aesthetics: Secure business assets - Hamilton Fraser


In the first in a series of guest blogs for Hamilton Fraser focused on psycho-aesthetic content, Kimberly Cairns explores the topic of confidentiality and data protection, drawing on her innovative integrated psychological approach to aesthetics.

Data is arguably your most valuable business asset, and the UK healthcare sector remains the most ‘at risk’ sector when it comes to data breaches. Healthcare data breaches are the costliest globally due to the personally identifiable nature of the information which they hold, exposing highly sensitive information including names, addresses, medical history and personally identifiable images, as well as financial information.

The UK General Data Protection Regulation (GDPR) refers to the processing of this data as ‘special categories of personal data’, which requires it to be managed correctly by law.

  • There has been a large year-on-year increase in healthcare data breaches in size and in frequency
  • The average settlement cost has increased by 1.4 million to 6.8 million GBP per incident in 2021

You could be financially responsible for a data incident, therefore data protection cover is essential in your insurance policy.

Why do practitioners need to protect their data?

The UK GDPR sets out seven key principles for processing personal data:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

These principles should be at the heart of your approach to data protection and regarded as a top ethical priority.

Practitioners can revisit their professional body’s code of conduct where further guidance on duties pertaining to maintaining notes, medical records and protecting confidentiality can be found.

You can also gain insights by reading Hamilton Fraser’s article on best practices for record keeping.

Are there any high risk practices or key areas to look out for?

Accidental disclosures of personal data do happen in clinics when sensitive information is shared with another individual. There are many ways they can unfortunately happen – a mistyped email address, the wrong enquiry or patient name, a treatment plan sent to the wrong patient to name just a few. Understanding where the likelihood of inadvertently sharing sensitive information is likely to occur is essential to data security.

The pandemic has spurred a digital migration, increasing our use of communications and media for purposes such as staff training, customer service, recruitment, sales and marketing goals. This can have many advantages; however, the need for data integrity is all the more vital when using dispersed practices which see clinicians and their staff connecting with clinic matters when they are not physically in the clinic. Safe data handling is so much more than avoiding a hacker or cyber security attack. Strengthen your security by learning where you are vulnerable in your operational compliance.

Modern white and bright doctor office or medical office interior design with computer on doctor office desk, files cabinet, and decor

Other high risk zones include:

The (digital) front desk/ reception:

  1. Consider your front desk ‘etiquette’. If you repeat names, numbers, and appointment times over the phone and this can be overheard by others, you may be placing yourself in danger of a breach
  2. How a patient pays for a service can also be a potential breach if personal services or treatments are overheard
  3. Digital appointments can be extremely useful as an entry discussion into treatment options, risk and benefits. The environment in which these are carried out should be mutually agreed as suitable and in keeping with a private, undisturbed space. It is of note that digital appointments should not be considered or used to replace a face to face consultation in keeping with the statutory requirements for remote prescribing

The use of shared rooms:

  1. Be aware when you interact with patients in shared spaces. Calling a patient through for their appointment by name may seem innocent enough, but this is a breach of personal information
  2. Avoid any attempt to obtain patient consent in a shared space, this includes talking about specific suitability for treatment. To acquire fully informed consent this requires a private and relaxed area where the patient can freely ask questions and explore any concerns
  3. Treatment preparation including topical application of numbing cream that is visible to others could be considered a violation of privacy

Patient coordination:

  1. Sharing the details of a patient’s journey with a staff member not directly involved in their care or without the patient’s permission, could be considered a breach
  2. The patient coordinator should refer to any conversation with a patient within the parameters of confidentiality and how any information shared will be used
  3. It is critical to remember that staff that undertake treatments/services become patients, and their rights to confidentiality must be upheld


  1. This includes ipads, laptops, USBs, SD cards, mobile phones, cameras, facial/body scanners, photo booths and any digital screen with patient data input
  2. Theft, loss of possession or damages to devices can all result in data loss and breaches
  3. Computers that remain logged on with the daily schedule or an email inbox which is on view to passers by (patients or other staff), are examples of an equally damaging data breach

Young Asian woman with clean radiant skin gets botox injections for contour tightening, lip augmentation on a beige background. Spa care, facial skin care, beauty cosmetology.

Top tips to do now

  • Review and update your privacy policy regularly. If you don’t have one, you need one. Your privacy policy should be clearly displayed on your website. This can also be included in your employee handbook
  • Introduce patient security measures: A three point check to verify a patient’s identity before engaging in any discussion or disclosing any patient details is best practice. Choose from the full name, date of birth, postcode, GP name, next of kin, email address, and/or phone number
  • Do not leave devices unattended with patients
  • Mark all your devices with unique identifiers and count them in and out at the end and start of a shift, or if they leave the clinic, with whom and for what purpose
  • Lock the screen of the device you are using every time you stop using it, even if just for a minute, for example when popping to the kitchen for a quick drink or just to help a colleague out in the next room
  • Use anonymous identifiers, for example a patient ID where possible
  • Increase staff awareness in discussion and training around data protection and confidentiality. This can be a creative space to review and reflect on incidents, near misses and inform role plays to demonstrate the scope of your policy in practice
  • Appoint a data protection officer if you need one. Visit the Information Commissioner’s Office (ICO), to see if this is applicable to you
  • Issue all staff with separate login passwords. These should not be shared and should be regularly changed. If you share devices, do not save passwords in the browser
  • Update your devices and turn on two factor authentication
  • Use a disclaimer on all emails. This doesn’t have to be a daunting process. A quick search through your received mailbox and you will find one. These are often standardised, therefore it only requires a few tweaks to suit your brand and it is ready to be pasted onto your signature
  • For automatic enquiry responses you may wish to include a note such as ‘we respect your information and this conversation is likely to contain personal and sensitive information, please see our full privacy terms of use on our website (insert website)’. Use direct or personal messaging to avoid the dangers of publicly oversharing
  • Ensure you have a dedicated work phone for professional use only. Personal phones open up many opportunities for errors to occur. It can also become impossible to control, trace or know where your sensitive information is if your team uses personal devices. Often personal devices can be convenient for booking apps, or to access business social media accounts, which can make them desirable in practice. However, their use poses the risk of a breakdown of confidentiality, professionalism, and lack of trust due to poor practices at best
  • If you think you have suffered a data breach, undertake an incident review as you may need to inform the ICO and/or your insurance company. Visit the ICO website for more information.

In summary, patients assume that practitioners are carrying out their aesthetic practices in a confidential way and expect their sensitive information to be guarded from all kinds of breaches. As well as needing to comply with data protection regulations such as GDPR, trust is implicated in the psychology of data security and it is therefore imperative to protect it. Safer data handling may have the potential to be your most rewarding investment this year.

Data privacy week, which takes place every year at the end of January, is an international effort to empower individuals and encourage businesses to respect privacy, safeguard data and enable trust by spreading awareness about online privacy and how to keep information secure.

Listen to our podcast with PABAU clinic software, to learn more about how going paperless can help you manage your clinic, enabling you to manage data safely and compliantly.

About the author

Kimberley Cairns

Kimberley Cairns

Kimberley is an award winning, dynamic, inclusive published wellness expert and member of the British Psychological Society. Her innovative integrated psychological approach to aesthetics encompasses her combined 16 years of acute mental health and aesthetic clinic management experience. Specialising in psycho-aesthetic solutions, Kimberley has numerous key appointments including that of clinical advisory and fitness to practise within the JCCP. Her contributions to aesthetics in the interest of public health protection are extensive.

Get a quote today!
We’ve made the process easy