Privacy Policy

Description of Processing:

The following is a very broad description of the way this organisation/data controller processes personal information. To understand how we process your personal information you may need to refer to any personal communications you have received, check any privacy notices the organisation has provided or contact the organisation directly to ask about your personal circumstances.

Reasons/purposes for processing information:

We process personal information that enables us to provide healthcare services, maintain accounts and records and support and manage employees.

Type/Classes of information we process:

We process information relevant to the above reasons/purposes which may include:

  • Personal details
  • Family details
  • Lifestyle and social circumstances
  • Goods and services
  • Financial details
  • Employment details

We also process sensitive classes of information that may include:

  • Physical or mental health details
  • Racial or ethnic origin
  • Religious or other beliefs
  • Sexual life

Who we process information about:

We process personal information about our patients; customers, suppliers and employees.

Who information we may share with:

We sometimes need to share information with other organisations. Where this is necessary we comply with all aspects of the data protection act. What follows is a description of the organisations we may need to share some personal information we process with.

Where necessary or required we share information with:

  • Healthcare professionals
  • Social and welfare organisations
  • Central government
  • Service providers
  • Financial organisations
  • Current, past and prospective employers
  • Examining bodies
Our Privacy Policy

We take your privacy very seriously and understand the importance of protecting your privacy and confidentiality in compliance with the guidelines published by the General Medical Council (as amended from time to time).

This privacy policy sets out the basis on which any of your personal data will be processed by us. We collect data that you provide through; visits, during the provision of medical treatment and interactions with us at clinics;

  1. The Manor Hospital in Oxford,
  2. The Nuffield hospital Cheltenham,
  3. The Ridgeway BMI hospital Swindon,
  4. The Shelbourne Clinic (The Great Western Hospital)
  5. Stratum clinics
  6. The NHS

Plastic Surgery Oxford is not responsible for the collection or use of your personal data from our associated Hospitals or clinics. For example, the Hospital may use CCTV. If concerned regarding these hospitals we recommend that you look at each hospitals separate privacy policy.

You may give us data:

  • When you contact us (by email, phone, or otherwise) to book an appointment, make a general enquiry or when you contact us for any other reason;
  • When you visit our Clinics in person for an appointment or for treatment;
  • To allow us to treat you and undertake relevant procedures (if applicable), for example, your medical record and details of any treatment or care previously received;
  • Information obtained from calls we receive or make which we record;
  • During the course of any treatment you may receive at any of the Clinics;
  • During the course of any procedures provided by us to you at a Hospital;
  • To provide you with our telephone consultation services;
  • To process your prescriptions (including repeat prescriptions);
  • If you provide us with information about a patient if the patient is a child or does not have mental capacity to make his / her own decision in respect of any medical treatment;
  • When you complete a form at any of the Clinics;
  • When you make a complaint or report an incident to any of the Clinics;
  • When you provide feedback on your treatment;
  • When you are referred to us by your General Practitioner, a Hospital, another hospital or Hospital clinician;
  • When you are referred to us by your medical insurance provider; or
  • When making a referral to us.

Data we collect about you:

During the course of any treatment or procedure, we will collect:

  1. Medical information about you relating to your condition or treatment;
  2. Images of you and or any associated lesions (if relevant); and
  3. Payment details to process payments due (if applicable).
  4. Data we collect from or are provided by third parties. We may be receive personal data about you:
  5. When your General Practitioner, your medical insurance provider, a Hospital or another hospital, another medical professional refers you to us;
  6. When another clinician asks for a second opinion or refers you to us,
  7. When we ask our patients to provide us with their medical history, which may include asking the patient about relevant medical conditions / history of the patient’s blood relatives;
  8. When our patient’s parents or legal guardians provide us with information if our patient is a child or does not have capacity to make his / her own decisions in respect of his / her medical treatment; and
  9. By the patient when you refer a patient to us.

For us to provide medical and surgical treatment to patients we may need to process and store the following information:

  1. Your name, title, date of birth,  address, telephone number, mobile number, email address,
  2. Details of any enquiry (including medical information you provide),
  3. Whether you have private medical insurance and if not, how you will pay for the treatment.
  4. Details of the organisation making any referral, and details of your medical insurance provider, membership number and authorisation code (if relevant).
  5. Details of your General Practitioner, authorisation code (if relevant) and if you do not have private medical insurance, how you will pay for the treatment.
  6. Dates of any appointment and treatment record with us as well as your previous medical history.
  7. Images of any conditions or images of any body parts.

We would like to reassure you that sensitive personal data (including any medical information) we receive or collect about you will only be processed in connection with the provision of medical treatment and accordance with this policy unless the data has been truly anonymised.

We don’t process personal data for marketing purposes and we won’t provide your information to other businesses or third parties.

Disclosure Of Your Personal Data

We may share your personal data (including sensitive personal data, i.e. your medical information) with selected third parties in accordance with this policy, including:

  • As mentioned above, to your referring General Practitioner, dermatologist, Hospital, other hospital or medical professional who have referred you as a patient to any of the Clinics;
  • Your private medical insurance provider requesting information about your treatment;
  • The Hospital in which a necessary procedure may take place;
  • Government or other law enforcement agencies, in connection with the investigation of unlawful activities or for other legal reasons (this may include your location information);
  • We or substantially all of our assets are acquired by a third party, in which case personal data held by us, including your personal data, will be one of the transferred assets (however, we will let you know before this happens);
  • Our IT service providers, who may access your personal data (including sensitive personal data); or
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation but only if such legal obligation takes precedence over our duty of confidentiality owed to you.
Where We Store Your Personal Data

We store your data on computers owned by Plastic Surgery Oxford Ltd. These computers are pass code secured. We also store patient information Midex Pro.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business to need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Retaining Personal Data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In line with the General Medical Practitioner guidance, we will retain your personal data (including sensitive personal data) for 7 years after the date of the last treatment we provide you.

In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Even if you request that we erase your data, we may still need to keep it (please see below) or may keep it in a form that doesn’t identify you.

Your Legal Rights

You have the following rights with regard to your personal data:

  • You have the right to access data we hold about you.  This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it;
  • Rectification or erasure. You have the right to request that we rectify or delete any personal data that we hold about you (unless we have the legal right to retain it). If you request that we erase any personal data that we require in order to provide treatment and services to you, you may no longer be able a patient of any of the Clinics. This right does not extend to non-personal data. Please note that your rights to request erasure may be limited by applicable law.
  • Restriction. You also have the right to restrict us from processing your personal data if the data is inaccurate, the processing is unlawful or we no longer need to your personal data for the purposes for which we hold it.
  • Data portability. You have the right to obtain personal data we hold about you, in a structured, electronic format, and to transmit such data to another data controller if the legal basis for processing such personal data is consent.
  • Object /change of preferences. You have a right to request that we stop processing your personal data where we are relying on a legitimate interest (or those of a third party). Please note, if you submit a request for us to stop processing your personal data in a certain way and this type of processing is required in order to facilitate your treatment or care, you will no longer be able to be a patient of any of the Clinics following your request for us to stop the relevant processing.
  • If for any reason you are not happy with the way that we have handled your personal data, please contact us. If you are still not happy, you have the right to make a complaint to the Information Commissioner’s Office.

Please note that the rights mentioned above do not extend to non-personal data.
If you would like to exercise any of the rights mentioned above, please contact us at

Changes To Our Privacy Policy

Any changes we make to our privacy policy in the future will be notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.

How To Contact Us

We welcome questions, comments and requests regarding our privacy policy and should be addressed to Plastic Surgery Oxford Limited at Nuffield Manor Hospital, Beech Road, Headington, Oxford, OX3 7RP by email to by phone on 07917965717 or using our contact form here.

Please also contact us if you would like to know more about our data processing activities, to update or amend any of your personal data which you provide to us or if you believe our records relating to your personal data are incorrect.

Plastic Surgery Oxford Ltd
Company Registration Number: 08862850
Data Controller: Matthew Potter

Our privacy policy was last updated on 14th November 2023.