01442 331 900

Privacy Policy

Who we are

We are One Stop Doctors Ltd, a company incorporated in England and Wales trading under the name of OSD Healthcare. Our Company number is 09692848 and our registered address is One Medical House, Boundary Way, Hemel Hempstead, Hertfordshire HP2 7YU.

This Privacy Policy (together with our website terms and conditions and cookie policy) sets out how we collect personal information from you and how the personal information you provide will be processed by us.  By visiting the website at (the “Website”) you are accepting and consenting to the practises described in this Privacy Policy. If you do not consent, please do not submit any personal data to us.

Registration number: ZA161795

OSD Healthcare is committed to protecting and respecting your privacy.

This Privacy Policy sets out important details about information that OSD Healthcare and doctors responsible for your care and treatment may collect and hold about you, how that information may be used and your legal rights.

We will review this Privacy Policy on a regular basis and we advise you to check back on our website for the latest version.

1. Who has information about me?

External websites

We may from time to time include on our website links to and from the websites of other organisations.  If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.  Please check these policies and notices before you submit any personal data to these websites.

2. What information does OSD Healthcare hold about you?

We hold 2 types of data about you.

    1. Personal data

    • Personal data only includes information relating to natural persons.

    • Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and OSD Healthcare may only process them in more limited circumstances.

    • Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.

    1. Special Category (sensitive data)
      This sort of data could include:

    • racial or ethnic origin

    • political opinions

    • religious or philosophical beliefs

    • trade union membership

    • genetic data

    • biometric data (where used for identification purposes)

    • health

    • sex life

    • sexual orientation

3. Information we collect

We collect information about you which you have supplied or from others involved in your care and treatment (i.e. your GP, employers) or those who are paying for your care and treatment have supplied to us.

This is likely to include your personal data see Personal Data (see definition in section 2)

For our health assessment clients who come to us through their employer’s health assessment benefit scheme or referral, we have information about you which your employer has supplied to us.  This is likely to include your name and contact details (postal and email addresses and phone numbers).

We may also hold more sensitive information about you, see Sensitive data (see definition in section 2)

This may also include details of healthcare services provided previously by OSD Healthcare and others such as GPs, dentists, or previous hospital visits and details of any medications you have been prescribed or taken.  (Special category (Sensitive data) definition)

We may collect information from you when

    • you visit our websites or enquire about our products or services.

    • contained in enquiry or booking forms, including through our ‘make an enquiry’.

    • you provide in surveys or in feedback or from transactions you carry out on our websites or online payments you make.

If you call our contact centre or contact via our website, these telephone calls or live chats may be recorded and retained for a limited period for training and monitoring purposes and to help improve our services.

Sometimes we obtain information about you from:

    • other health care providers,

    • credit reference agencies,

    • debt collection agencies, and

    • government agencies such as HMRC or the Home Office.

4. How will OSD Healthcare use the information it holds about me?

We use information about you in connection with

    • treatment and/or care,

    • tests or assessments, and

    • medical examinations.

We will use this also in connection with payment of fees, including billing, invoicing and settlement of your account with us.

We may use your phone number (or email address where you have provided it to us) to contact you in advance of and after your admission or appointment for reasons connected with your care or treatment.  Where you have provided us with your mobile number or email address, we may send you confirmations/reminders of your appointments via text message or email and we may respond to your email enquiries via email.

We may also use information about you for

    • quality assurance,

    • maintaining our business records,

    • developing and improving our products and services, and

    • monitoring outcomes where we believe there is a business need to do so and our use of information about you does not cause harm to you.

This may include our workforce planning and workload management systems to help support our staff and clinicians to develop and plan the most appropriate levels of care to our patients and to ensure we have got the right levels of productivity and efficiency and good outcomes for patients.

We may also use information about you where there is a legal or regulatory obligation on us to do so (such as the prevention of fraud) or in connection with legal proceedings.

We may also use information about you where you have provided your consent to us doing so.

We do not carry out automated decision making or profiling.

5. Staff access to your personal and sensitive data.

We carefully control who has access to your information.  Staff only have access where they are required to do so to provide direct care or support (i.e. receptionist and secretary).  Where possible we limit the access that staff have on our clinical systems.  We also carry out spot checks and audits to see if there has been any inappropriate access. Where that occurs, disciplinary action may be taken against the staff, and in serious cases court action. If the data breach includes access to your information, we will contact you.  We also have an obligation if it is a serious data breach to inform the Information Commissioners Office.

In order to reduce risk of a data breach OSD Healthcare have in place robust policies and procedures and we carry out training for all staff on an annual basis.

All clinical staff providing direct care are registered with the appropriate professional and regulatory bodies, i.e. GMC, NMC, CSP and have a responsibility to uphold the highest standards when handling patient/client information.

6. How we keep your information safe and secure

    • OSD Healthcare is required to complete the NHS Digital Data Security & Protection Toolkit. This is a tool that provides assurance that we are meeting standards on handling patient/client information.

    • We have Data Protection Policies in place to ensure staff understand the ‘must’ or ‘must not do’ with patient/client data.

    • Staff are required to complete induction training in Information Governance and to complete annual update training.

    • Spot checks are carried out across the organisation.

    • OSD Healthcare has produced a handbook for staff giving practical advice on handling patient/client data.

    • Our IT is managed by our IT Team who ensure that all safeguards are in place to protect data held on IT systems are protected and secure from unauthorised access, loss or damage. We hold a Cyber Security Plus certification.

    • Passwords are changed on a regular basis.

    • Where incidents do happen, our investigations will include actions we take and lessons learnt.

7. Will OSD Healthcare share information about me with others?

Yes; we set out these reasons below and assure you that in each case, we share only such information as is appropriate, necessary and proportionate.

Sharing information with those involved in your health assessment, care or treatment (or with those who are paying for your care or treatment)

    • We will share your medical information with those involved in your health assessment, care or treatment (such as doctors, nurses and physiotherapists) for direct care purposes. Some of our nursing staff and the resident doctors in our hospitals are provided by specialist staffing agencies.  We ensure there is a single patient record for each patient who is seen at OSD Healthcare, whether as an outpatient or day case.

    • We will also share information about you with other members of staff involved in the delivery of your direct care for administration purposes (such as our, medical secretaries, receptionists).

    • Local NHS hospitals and independent pathology/clinical laboratory services provide OSD Healthcare with support services (such as blood tests) and we may share information about you with these hospitals where required in connection with your care.

    • We may also share relevant parts of your medical information with your GP, dentist, other private organisations and the organisation paying for your treatment (for example your insurance company). For our health assessment clients who come to us through their employer’s health assessment benefit scheme, please be assured that we will not share your medical information with your employer without your consent.

    • We may share information about you with anyone you have asked us to communicate with or whose details you have provided as an emergency contact (such as your next of kin).

8. Sharing information with third parties who are not involved in your health assessment, care or treatment

We may share information about you with external organisations such as:

    • our lawyers,

    • auditors,

    • financial, tax and public relations advisors and

    • NHS organisations, and

    • regulatory bodies such as the CQC and ICO.

We will only do this where we have a legal basis to do so or with your consent

We may also share information about you with third party suppliers, which provide us with

    • a secure credit/debit card storage system,

    • electronic patient record systems

    • radiology imaging archiving and reporting systems.

We may also share information about you with those providing us with information technology systems, this includes:

    • an incident management and recording system, and

    • a system for electronic prescribing as well as

    • other clinical and non-clinical software applications (and related services) and website hosting.

In each case, we would share only such information as was relevant, necessary  and proportionate

9. Sharing your information with credit checking and debt collection agencies

If your bill is not paid on time, we may share information (such as copy invoices) with debt collection agencies.  Information relating to your application will be shared with the OSD Healthcare team which processes these applications and may also be shared with credit checking agencies.

Please be assured that your medical records would not be shared either with credit checking agencies or with debt collection agencies.

10. Sharing with regulators or because of a legal obligation

We may share information about you with our regulators, including the

    • Care Quality Commission.

    • Medicines and Healthcare products Regulatory Agency (which ensures medicines and medical devices used in the UK work and are acceptably safe).

    • NHS England (which leads the NHS in England) and the Department of Health (the government department responsible for health and adult social care policy).

    • Health & Safety Executive.

    • Public Health England.

Sometimes, we are required to disclose information about you because we are legally required to do so. This may be because of a:

    • court order

    • regulatory body has statutory powers to access patients’ or health assessment clients’ records as part of their duties to investigate complaints, accidents or health professionals’ fitness to practise.

Before any disclosure will be made, we will satisfy ourselves that any disclosure sought is required by law or can be justified in the public interest.

Information about you may also be shared with the police and other third parties where reasonably necessary for the prevention or detection of crime.  On occasion, this may include the Home Office and HMRC.

11. Audits, surveys and initiatives

In common with all healthcare providers (both NHS and private), we also look at the quality of the care we provide:

    • to patients and health assessment clients and participate in national audits and initiatives,

    • to ensure that patients are getting the best possible outcomes from their treatment and care, and

    • to help patients make informed choices about the care they receive.

We can assure you that your personal information remains under our control at all times. Any information we provide for national audits and initiatives outside of OSD Healthcare will not contain any information in which any patient can be identified, unless it is required by law.  Any publishing of this data will be in anonymised statistical form.

One of the national programmes we participate in is run by the Private Healthcare Information Network (PHIN) which is an independent statutory entity enabling patients to compare privately-funded healthcare (both hospitals and consultants).

PHIN has its own Privacy Policy (a copy of which can be accessed via their website).  We may share some of your personal data (including NHS Number in England and Wales, CHI Number in Scotland or Health and Care Number in Northern Ireland, as well as age, gender, ethnicity or race, diagnosis, and details relating to the procedure you underwent) with PHIN.

12. Change of OSD Healthcare ownership

If we were to sell or transfer OSD Healthcare or part of our business to another organisation, your patient and health assessment records would also transfer to the new owner.  Limited information may also be shared, where required, with legal and other professional advisors involved in that transaction.

The reason we would transfer your records is to minimise the disruption to current or past patients caused by the sale or transfer and to ensure we and a new owner were able to comply with our legal obligations regarding the retention of patients’ and other clients’ medical records and to ensure continuity of care.

13. Where you have provided us with consent

You may choose to opt in to receiving information about other services OSD Healthcare offers by post or email.

In this case, your consent or decision to opt in is entirely voluntary.  Should you decide not to consent or opt in or should you change your mind at any time, you do not need to give a reason and your medical care and legal rights will not be affected.  You can opt-out by clicking on the ‘unsubscribe’ button in all our marketing communications.

Apart from this limited instance, we do not hold or share information about you based on (or at least solely on) consent.

14. What legal basis does OSD Healthcare have for using information about me?

Data protection law requires that we set out the legal basis for holding and using information about you.  We have set out the various reasons we use information about you and alongside each, the legal basis for doing so.  Given that some information we hold about you is particularly sensitive (as described above), we need an additional legal basis which we have set out in the third column (entitled ‘legal basis for more sensitive information’) explaining our reason for this.

Reason Legal Basis Additional legal basis for special categories of personal data:
Receiving an enquiry and establishing an
initial patient contact
Enter into a contract with us for the delivery of healthcare. Article 6 (b)The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights. Article 6 (f)


The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.  Article 9(2)(h)
Providing direct healthcare The use is necessary to provide you with healthcare as part of our contract with you. Article 6(b)The use is necessary for fulfilling our contract with you for the delivery of healthcare or health assessment.  Article 6(b)The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.


The use is necessary to provide you with healthcare and other related services.The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent.The use is necessary for an insurance-related purpose.All Article 9(2)(h)
Seeking and receiving payment of fees, including billing, invoicing and settlement of your account with us including debt collection where applicable The use is necessary to provide you with healthcare (or health assessment) and other related servicesThe use is necessary to fulfil our contract with you for the provision of health assessment services, care and/or treatment Article 6(b)The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights. Article 6(f)


The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.The use is necessary in order for us or a third party to establish, exercise or defend our legal rights. Article 9(2)(h)
Administration and management of healthcare services (such as maintaining records including patient medical records, receiving professional advice) The use is necessary to provide you with healthcare and other related services.The use is necessary to comply with a legal or regulatory obligation. Article 6(d)The use is necessary for fulfilling our contract with you for the delivery of healthcare. Article 6(b)The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.  Article 6(f)


The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. Article 9(2)(h)The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.
Communicating with you and resolving any queries or complaints that you might have. Communicating with any other individual that you ask us to update about your care (such as your emergency contact) and liaising with other healthcare professionals about your care The use is necessary to provide you with healthcare and other related services. Article 6(b)The use is necessary for compliance with a legal obligation. Article 6(d)The use is necessary for fulfilling our contract with you for the delivery of healthcare. Article 6(b)The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights. Article 6(f)You have given us your consent. Article 6(a)


The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.  Article 9(2)(h)The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.You have given us your explicit consent. Article 9(2)(a)
Conducting surveys The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights. Article 6(f)


The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
Complying with our legal and regulatory requirements including investigating complaints or claims and defending or exercising our legal rights The use is necessary for compliance with a legal obligation. Article 6(d)The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights. Article 6(d)You have given us your consent. Article 6(a) The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. Article 9(2)(h)The use is necessary in order for us to establish, exercise or defend our legal rights.You have given us your explicit consent. Article 9(2)(a)
Safeguarding purposes (for example, in order to ensure the health and safety of an individual) The use is necessary for compliance with Vital Interest Article 6(c)We need to use the information to protect your vital interests or the vital interests of a third party.The use is necessary to provide you with healthcare and other related services as part of our contract with you  Article 6(b)


We need to use the information to protect your vital interests or the vital interests of a third party and you or the third party are physically or legally incapable of giving consent.We need to use the information for reasons of substantial public interest, such as the use being necessary in protecting an individual from neglect or physical, mental or emotional harm and protecting the physical, mental or emotional wellbeing of an individual.You have given us your explicit consent. Article 9(2)(a)
Preventing and investigating fraud. This might include sharing your personal information with third parties such as the police or fraud prevention agencies, or carrying out fraud, credit, anti-money laundering and other checks The use is necessary to provide you with healthcare and other related services. Article 6(b)The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights. Article 6(f)


We need to use the information for reasons of substantial public interest
Carrying out marketing activities and providing marketing information to you The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights. Article 6(f)You have given us your consent. Article 6(a)


Passing your records to a third party to whom we sold or transferred part of our business or service The use is necessary to provide you with healthcare and other related services.The use is necessary for compliance with a legal obligation.  Article 6(b)


The use is necessary to provide you with healthcare and other related services.We need to use the information to protect your vital interests or the vital interests of a third party.

15. Where and for how long does OSD Healthcare store information about me?

The information about you that we hold and use is held securely in the United Kingdom and stored electronically and in paper format and on secure servers.

No records are stored outside the EU.

We retain your records for certain periods (depending on the particular type of record) under our retention of records policy.  OSD Healthcare follows the recommend best practice contained in the NHS Records Management Code of Practice. This is to ensure that information is properly managed and is available whenever and wherever there is a justified need for that information, including:

    • to support patient care and continuity of care;

    • to support evidence-based clinical practice;

    • to assist clinical and other audits;

    • to support our legitimate interests; and

    • to meet legal requirements.

Your records may not be retained in hard copy form where a digital copy exists.

If you would like more detailed information on this, please contact our Information Governance Team (contact details below).

16. What rights do I have?

Under certain circumstances, you have rights under data protection laws in relation to any personal information that we hold about you.

If you wish to exercise any of the rights set out below, please contact the Governance Team using the contact details set out below.

17. Details of your rights are set out below.

    • The right to be informed. This privacy notice forms part of that, but we also aim to keep you fully informed during your consultations

    • The right to access your personal information

You are usually entitled to a copy of the personal information we hold about you and details about how we use it.

Your information will usually be provided to you in the form you request, if we are unable to do that we will inform you. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.

You are entitled to the following under data protection law.

Under data protection law we must usually confirm whether we have personal information about you. If we do hold personal information about you we usually need to explain to you:

    • The purposes for which we use your personal information.

    • The types of personal information we hold about you.

    • Who your personal information has been or will be shared with.

    • Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for.

    • If the personal data we hold about you was not provided by you, where we obtained the information from.

    • Your right to ask us to amend or delete your personal information (if appropriate).

    • Your right to ask us to restrict how your personal information is used or to object to our use of your personal information (if appropriate).

    • Your right to complain to the Information Commissioner’s Office.

    • We also need to provide you with a copy of your personal information.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity (this will be proportionate) and ensure your right to access your personal information (or to exercise any of your other rights). We may also contact you to ask you for further information in relation to your request to speed up our response.

We respond to all requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

The right to request correction of your personal information

We take reasonable steps to ensure that the personal information we hold about you is accurate and complete and up to date.  However, if you do not believe this is the case, you can ask us to update or amend it.

The right to request erasure of your personal information

In some circumstances, you have the right to request the erasure of the personal information that we hold about you.  This is also known as the ‘right to be forgotten’.  However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question.

The right to object to the processing of your personal information

In some circumstances, you have the right to object to the processing of your personal information. This would usually apply to processing for other purposes other than your direct health care i.e. research

The right to request a transfer of your personal information

In some circumstances, we must transfer personal information that you have provided to us to you or (if this is technically feasible) another individual/ organisation of your choice. The information must be transferred in an electronic format.

The right to object to marketing

As detailed in the ‘marketing’ section above, you can ask us to stop sending you marketing messages at any time and we must comply with your request. You can do this by contacting the Governance or Marketing Teams

The right not to be subject to automatic decisions (i.e. decisions that are made about you by computer alone)

You have a right to not be subject to automatic decisions (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on you.  We at present do not use any of these.

The right to withdraw your consent

You have the right to withdraw your consent where we rely upon this as a legal ground for processing your information. You can do this by contacting our Governance Team.

18. CCTV

We use CCTV in various parts of OSD Healthcare. CCTV is used for the safety and security of our patients, health assessment clients, visitors, and staff.

19. The right to complain to the Information Commissioner’s Office

You have the right to complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations under data protection law.

Making a complaint will not affect any other legal rights or remedies that you have.

More information can be found on the Information Commissioner’s Office website: and the Information Commissioner’s Office can be contacted by post, phone, fax or email as follows:

Information Commissioner’s Office
Wycliffe House
Water Lane

Tel: 0303 123 1113 (local rate) or 01625 545 745 (if you prefer to use a national rate number)

Fax: 01625 524 510


For further questions or to exercise any rights set out in this Privacy Policy, please contact OSD Healthcare’s Information Governance & Data Protection Officer:

Governance Team contact details:

Email address:

Head of Governance:  01442 331935

Cookie Policy

What are cookies?

The Website uses cookies to distinguish you from other users of the website.  As is common practice with almost all professional websites this site uses cookies, which are tiny files that are downloaded to your computer, to improve your experience.  This page describes what information they gather, how we use it and why we sometimes need to store these cookies.  We will also share how you can prevent these cookies from being stored however, this may downgrade or ‘break’ certain elements of the sites functionality.

For more general information on cookies see the Wikipedia article on HTTP Cookies.

How we use cookies:

We use cookies for a variety of reasons detailed below. Unfortunately in most cases there are no industry standard options for disabling cookies without completely disabling the functionality and features they add to this site. It is recommended that you leave on all cookies if you are not sure whether you need them or not in case they are used to provide a service that you use.

Disabling cookies:

You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of this site. Therefore, it is recommended that you do not disable cookies.

If you do not want to have cookies placed on your device by third parties, many of them offer ways to opt out. In addition, most web browsers allow at least some control of most cookies through browser settings. You may refuse the use of cookies by selecting the appropriate settings on your browser to decline cookies. You may also delete existing cookies through your browser.

Please visit the following websites to learn more (depending on the browser you use):

The cookies we set:

This site offers newsletter or email subscription services and cookies may be used to remember if you are already registered and whether to show certain notifications which might only be valid to subscribed/unsubscribed users.

When you submit data through a form such as those found on contact pages or comment forms cookies may be set to remember your user details for future correspondence.

Third Party Cookies:

In some special cases we also use cookies provided by trusted third parties. The following section details which third party cookies you might encounter through this site.

This site uses Google Analytics which is one of the most widespread and trusted analytics solution on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content.

For more information on Google Analytics cookies, see the official Google Analytics page.

From time to time we test new features and make subtle changes to the way that the site is delivered. When we are still testing new features these cookies may be used to ensure that you receive a consistent experience whilst on the site whilst ensuring we understand which optimisations our users appreciate the most.

As we sell products it’s important for us to understand statistics about how many of the visitors to our site actually make a purchase and as such this is the kind of data that these cookies will track. This is important to you as it means that we can accurately make business predictions that allow us to monitor our advertising and product costs to ensure the best possible price.

The Google AdSense service we use to serve advertising uses a DoubleClick cookie to serve more relevant ads across the web and limit the number of times that a given ad is shown to you.

For more information on Google AdSense see the official Google AdSense privacy FAQ.

Please contact us via the following webpage if you have any questions regarding cookies on our website.