Privacy Policy

Privacy & Confidentiality

Data Controller

23MD (referred to as “we”, “us”, “our” or “23MD”) in this policy primarily refers to 23MD Medical Services Limited the operating company 23MD. 23MD Limited is the “data controller” of all personal information that is collected and used about 23MD customers for its purposes as outlined in the policy document. 23MD Medical Services is registered in England  and Wales.

23MD has appointed a Data Protection Officer (DPO).

Data Protection Officer
We have appointed a Data Protection Officer (“DPO”), Dr Martin Galy, to oversee compliance with this policy.

What Personal Information do we collect

Personal data means any information relating to you which allows us to identify you, such as your name, contact details, patient ID number, payment details and information about your access to our website.

We may collect and retain  personal data from you when you register with us for an appointment, or make an enquiry via telephone or website.

We may use this data to communicate with you via email, telephone or sms about treatments available and treatment delivered to you.

You will have the right to withdraw from some types of communications.

We may record and retain telephone calls for training and quality purposes.

Other Data will be collected and stored in your files once you have had a consultation or treatment with us.

Specifically, we may also collect the following categories of information:

  • Personal Data
    • Name, home address, e-mail address, telephone number, passport or other recognized personal ID card numbers and details, credit/debit card or other payment details, and next of kin details.
  • Medical Data
    • history
    • Treatment details
  • Purchasing Data
    • treatments, products or services that you have purchased from us
  • Information about your use of our website and/or App when available
  • Communication Data
    • The communications you exchange with us or direct to us via letters, emails, chat service, calls, and social media.
  • “Sensitive” personal data under applicable data protection laws
    • Personal details about your physical or mental health, alleged commission or conviction of criminal offences are considered personal but are recorded as appropriate in you medical files at the clinic

What do we use your personal data form how long and why.

Your data may be used for the following purposes:

      • Storing personal details about you, such as your address, legal representative, emergency contact details
      • Storing data about any contact the clinic has had with you, such as appointments, clinic visits, emergency appointments, etc.
      • We will use your email to remind you of your appointment  confirming the meeting time and place. Email will also be used for letters and reports.
      • Personal emails are sent unencrypted.  If you prefer encrypted emails, please let us know and we will encrypt the email and send a code to your mobile. We will use email your address for this purpose. 
      • We will also use your email address for information and updates about the practice from time to time. We will send these updates as they are important to you.
      • We will use your data to stire notes and reports about your health, as well as details about your treatment and care, results of investigations such as laboratory tests, x-rays etc., and any relevant information from other health professionals, relatives or those who care for you

Only adults  aged 18 or over can attend our clinic and provide their own consent.

We will hold your data for a minimum of 10 years after your treatment, and longer if deemed necessary for legal reasons, in accordance with the NHS Code of Practice for Records Management.

Information may be used within the clinic and shared amongst our multidisciplinary team to ensure coherence in treatment.

Information may also be used for clinical audit to monitor the quality of the service provided.

Some of this information maybe used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

Sometimes your information may be requested to be used for research purposes – the clinic  will always gain your consent before releasing the information for this purpose.

If we no longer need your personal data, we will securely delete or destroy it. We will also consider if and how we can minimise over time the personal data that we use, and if we can anonymise your personal data so that it can no longer be associated with you or identify you, in which case we may use that information without further notice to you.

How do we maintain security of your data

The practice is registered with the Information Commissioners Office (ICO). More details about this can be found on the Information Commissioner’s Office (ICO) website.

We follow strict security procedures in the storage and disclosure of your personal data, and to protect it against accidental loss, destruction or damage. The data you provide to us is protected using SSL (Secure Socket Layer) technology. SSL is the industry standard method of encrypting personal information and credit card details so that they can be securely transferred over the Internet.

Your medical data is stored in a cloud based system that is IN COMPLIANCE WITH THESE ACTS AND REGULATORS

  • The Department of Health UK
  • Information Commission Office ICO
  • The General Data Protection Regulations ACT 2018
  • Data Protection Act 2018
  • Senat

We may disclose your information to trusted third parties for the purposes set out in this Privacy Policy.
We require all third parties to have appropriate technical and operational security measures in place to protect your personal data, in line GDRP.

Sharing your personal data

Your personal data may be shared within the company amongst the members of our multidisciplinary team.

Your data may also be shared with other companies e.g. for laboratory tests and other investigations as agreed with you at the time of your consultation or treatment.

We may also share your personal data with the following third parties for the purpose described in this Privacy Policy.

Who are our partner organisations? – We may also have to share your information, subject to strict agreements on how it will be used. These companies are bound by contractual agreements to ensure information is kept confidential and secure. We partner with the following organisations to send or receive information about you:-

  • Private Sector Providers such as Pharmacists, The Doctors Laboratory, Ulrasound Diagnostic Services and other professional associates
  • GP’s / NHS Trusts / Foundation Trusts / NHS Commissioning Support Units
  • Social Care Services
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Other ‘data processors’ which you will be informed of
    • e.g. Social media: You may be able to access third party social media services through our website or App (when availabe)  or before coming to our website or App via Instagram or other social media platforms .
    • When you are registered with your social service account, we may obtain the personal information you choose to share with us through these social media services pursuant to their privacy settings in order to improve and personalize your use of our website or App.
    • We may also use social media plugins on our website or App.
    • Your information will be shared with your social media provider and possibly presented on your social media profile to be shared with others in your network.
    • Please refer to the privacy policy of these third-party social media providers to find out more about these practices

Except for emergency situations, you will be informed who your data will be shared with and in some cases asked for explicit consent for this happen when this is required.

We may also use external companies to process personal information, such as for archiving purposes.  These companies are bound by contractual agreements to ensure information is kept confidential and secure.

How do we maintain confidentiality of your records

The practice is registered with the Information Commissioners Office (ICO). More details about this can be found on the Information Commissioner’s Office (ICO) website.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Information Commissioners Office (ICO)
  • Data Protection Act 1998
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality and Information Security
  • Information: To Share or Not to Share Review (click here to read further information about this)

Every member of staff who works for the Practice has a legal obligation to keep information about you confidential. This extend beyond the clinic, and beyond this time of employment at the clinic.

We will only ever use or pass on information about you if others involved in your care have a genuine and legal need for it.

We will not disclose your information to any 3rdparty without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on for example Child/Adult Protection and Serious Criminal Activity. These companies are bound by contractual agreements to ensure information is kept confidential and secure.

Objections & Complaints

Should you have any concerns about how your information is managed , please contact the Practice Manager.

If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via their website (

You can also read the ICO’s Subject Access code of practice guidance (PDF, 897kb) for more information. You have the right to make a complaint at any time to a supervisory authority.

The More details about this can be found on the Information Commissioner’s Office (ICO) website. This is the lead data protection supervisory authority for 23MD Limited, as a UK data controller.

Your Rights to Protecting and Accessing your data

The new GDRP act as of May 2018 covers personal information, including health records. It gives you the right to have a copy of your records by requesting a permanent copy in writing. This request is know as as a subject access request or SAR.

The practice is registered with the Information Commissioners Office (ICO). More details about this can be found on the Information Commissioner’s Office (ICO) website.

Under certain circumstances, by law you have the right to:

Request information about whether we hold personal information about you, and, if so, what that information is and why we are holding/using it.

Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you

Request access to your personal information
You have a right to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate.
In order to request this, you need to do the following:
Your should submit a SAR in writing to the practice manager.
We are required to respond to you within 40 days
You will need to sign your SAR, and provide adequate information (for example full name, address, date of birth, and details of your request) so that your identity can be verified and your records located. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
If you have asked to see a copy of your records, they will be shown to you in the format in which it was originally written. Any abbreviations and complicated medical terms will be explained to you. If you still do not understand any part of the record, the health professional who is holding the record will explain it to you. Fees equivalent to consultation fees on a timed basis will apply to this.
If you request a report to be generated, administrative fees will apply.
Our Privacy Policy may change from time to time and any changes to the statement will be communicated to you by way of an e-mail or a notice on our website

Accessing data of a deceased person

If you want to view the health records of a deceased person, you can apply in writing to the Data Protection Officer  (DPO) under the Access to Health Records Act (1990)

The DPO at 23MD is Dr Martin Galy and can be contacted here 


Call Now Button