Privacy Policy
Last reviewed: 5 April 2026
Privacy Policy
OAS Medical Ltd
Last updated: 05/04/2026
1. Who we are
OAS Medical Ltdis the data controller responsible for your personal information. We are a private GP clinic registered in England and Wales (Company No. 14119082) with premises registered with the Care Quality Commission (CQC).
Our clinic is located at Watton Road, Norwich, NR4 7YB, United Kingdom.
For any questions about how we handle your data, please contact us at 07812686301 or by email at lauren.mercer2@nhs.net.
We are registered with the Information Commissioner's Office (ICO). Our registration number is [insert].
2. What information we collect
When you use our services, we may collect and process the following categories of personal data:
Personal details — your name, date of birth, address, telephone number, and email address.
Medical information — your medical history, current symptoms, diagnoses, medications, allergies, test results, consultation notes, and treatment plans. This constitutes special category data under UK GDPR.
Administrative information — appointment records, payment details, consent forms, correspondence, and referral letters.
Next of kin and emergency contact details — where you choose to provide these.
Technical data — if you use our website, we may collect IP address, browser type, and usage data through cookies (see Section 10).
3. How we collect your information
We collect information from the following sources: directly from you during consultations, telephone calls, online appointments, or correspondence; from your NHS GP (with your explicit consent); from laboratories or diagnostic providers we engage on your behalf; and from any specialist to whom we have referred you, where they provide a report or outcome letter.
4. Our lawful basis for processing your data
We process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For general personal data, our lawful bases under Article 6 are: performance of a contract (to provide the medical services you have booked and paid for); legal obligation (where we are required by law to hold or share information); and legitimate interests (for administrative purposes, quality improvement, and clinical governance).
For special category data (health data), our lawful basis under Article 9(2)(h) is that processing is necessary for the provision of healthcare, medical diagnosis, and the management of healthcare systems, undertaken by a health professional subject to a duty of confidentiality.
5. How we use your information
We use your personal and medical data to: provide you with safe, effective clinical care; manage your appointments, prescriptions, and referrals; communicate with you about your treatment; send consultation summaries to your NHS GP (with your consent); process payments; comply with legal and regulatory obligations including CQC requirements; conduct clinical audit and quality improvement; and respond to any complaints, claims, or legal proceedings.
We will never use your information for marketing purposes without your explicit consent. We do not sell or share your data with third parties for commercial purposes.
6. Who we share your information with
We may share your personal information with the following parties, and only to the extent necessary:
Your NHS GP — with your consent, we send a summary of your consultation to maintain continuity of care.
Private specialists — where we issue a referral on your behalf, we share relevant clinical information with the receiving specialist.
Laboratories and diagnostic providers — where blood tests, pathology, or other diagnostics are required, we share the minimum information necessary to process your tests.
Our clinical systems provider — we use Semble to manage clinical records and appointments. Semble processes data on our behalf as a data processor under a formal data processing agreement.
Regulatory bodies — we may be required to share information with the CQC, GMC, or other regulatory authorities where legally obliged.
Legal and safeguarding obligations — in exceptional circumstances, we may be required to disclose information without your consent where there is a risk of serious harm to you or others, where required by court order, or to comply with safeguarding duties.
All data sharing is conducted in accordance with the Caldicott Principles, which require that every use or transfer of confidential information has a clearly defined and justified purpose, uses the minimum necessary data, and is accessible only to those who need it GOV.UK.
7. How we keep your data secure
We take the security of your personal and medical information seriously. Our measures include: encrypted electronic clinical records held within Semble, with role-based access controls; secure, password-protected systems with two-factor authentication; physical security of any paper records in locked storage with restricted access; staff training on data protection, confidentiality, and information governance; and formal data processing agreements with all third-party suppliers who handle data on our behalf.
8. How long we keep your data
There is no definitive guidance relating to the retention of private clinical records, as the regulations that previously covered this are no longer in force. However, in line with GMC guidance and the NHS Records Management Code of Practice, we apply the following retention periods as best practice:
Adult patient medical records are retained for the duration of the patient's lifetime and a minimum of 10 years after the last entry, or 3 years after death, whichever is longer. Records relating to children are retained until the patient's 25th birthday, or 26th if an entry was made when the patient was 17, or 10 years after death. Financial and administrative records are retained for 6 years in line with HMRC requirements.
At the end of the applicable retention period, records are securely destroyed in accordance with UK GDPR requirements.
9. Your rights
Under UK GDPR, you have the following rights in relation to your personal data:
Right of access — you may request a copy of the personal data we hold about you. The first copy will be provided free of charge. We will respond within one calendar month of receiving your request.
Right to rectification — you may ask us to correct any inaccurate or incomplete data.
Right to erasure — you may request deletion of your data in certain circumstances. However, we may be unable to comply where we are legally required to retain records for clinical or regulatory purposes.
Right to restrict processing — you may ask us to limit how we use your data in certain circumstances.
Right to data portability — you may request your data in a structured, commonly used format to transfer to another provider.
Right to object — you may object to processing based on legitimate interests. We will cease processing unless there are compelling legitimate grounds.
Right to withdraw consent — where processing is based on your consent (for example, sharing records with your NHS GP), you may withdraw consent at any time. This will not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us in writing at [insert email] or by post to our clinic address. We may ask you to verify your identity before processing your request.
10. Cookies
Our website uses cookies to ensure it functions correctly and to help us understand how visitors use the site. We use: strictly necessary cookies required for the website to operate; and analytics cookies (with your consent) to collect anonymous usage data to improve the website.
You can manage your cookie preferences through your browser settings. For more information, please see our separate Cookie Policy.
11. Changes to this policy
We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. The date of the most recent update is shown at the top of this page. We encourage you to review this policy periodically.
12. How to complain
If you have any concerns about how we handle your personal data, we encourage you to contact us in the first instance so that we can address your concerns directly.
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 0303 123 1113. Website: ico.org.uk.
13. Contact us
OAS Medical (premises at Cora Health Norwich Clinic), Watton Road, Norwich, NR4 7YB. Telephone: 07812686301. Email: lauren.mercer2@nhs.net.