Data Privacy Notice and Consent Form for Patients

Oncotrust Ltd (“We”, “Us”, “Our”) is committed to protecting information through appropriate controls, being transparent about what data we hold and how we use it, and about respecting Your privacy. “You” (“Your”) are Our patient to whom We provide services, or are considering entering into an agreement with us for the provision of Our services.

The rules on processing of personal data are set out in the General Data Protection Regulation (“GDPR”). The terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Processing” and “Appropriate Technical and Organisational Measures” used below shall be interpreted in accordance with the GDPR.

This policy sets out the basis on which any Personal Data we collect from You, or that You provide to Us, will be processed by Us.

Oncotrust Ltd. is a company registered in England under number 10734587 whose registered office is Charles Rippin Turner, 130 College Road, Harrow, HA1 1BQ. We are the Data Controller.

The Personal Data we collect from you includes but is not limited to the following:

When you enquire about our services, We will request Personal Data such as your name, date of birth, email address and telephone numbers and information about you to help Us to register you to see a doctor and to contact You with further information such as results of tests and investigations. When you register with the Practice we will request detailed medical information relevant to you. This information is stored within a hosted practice management system Heydoc.

Mindspace c/o Heydoc
9th Floor
9 Appold Street
London EC2A 2AP
United Kingdom

Heydoc is UK based and GDPR compliant with a number of key features

  • 256 bit encryption and servers based in London
  • 2 factor authentication for users login with SSL encryption (the same level of security as used for online banking)
  • Ability to offer video consultations where needed

If you visit our website and make enquiries through this portal, Your usage may be tracked by using “cookies” and other similar technologies to help Us make improvements to the websites and to the services We make available. Please see the Cookies section below for more information.

Where We receive or make phone calls on Your behalf, We will collect call data records including the calling line identity passed, the call date and time, the number dialled and the duration of the call, the names of the parties to the call, and any message or other information given during the call.

Where We receive or send emails on Your behalf, We may collect the names and email addresses of the third parties and any information contained therein.

If receive or send paper documents or other forms of communication on Your behalf, We may collect the names and addresses of the third parties and any information contained therein. When You access our web portal, We will collect information You enter into the portal and the IP addresses from which You access the portal. When You correspond with us by phone, email or otherwise, we archive these conversations in Google Suite a business suite hosted by Google.

Where We provide relevant services to You, such as referral to specialists or referral to allied health practitioners, We will provide You with these in encrypted format.

We will NOT at any time share any of Your information with any third party for the purposes of marketing, advertising, website testimonials without specific consent.

In compliance with GDPR Article 6 (“processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract”), We will use the Personal Data or purposes that include but are not limited to:

  • Processing any enquiries You have about our services;
  • Verifying Your identity when You use Our services or contact Us;
  • Understanding, processing and executing instructions You give Us in relation to the delivery of our services;
  • Delivering our services to You;
  • Notifying You about changes to Our websites, services or terms and conditions or anything else We may be required or reasonably expected to notify You of
  • providing You with accurate and detailed billing for using Our services;
  • And collecting payment, and recovering any monies You may owe to Us for use of Our services.

In compliance with GDPR Article 6 (“processing is necessary for compliance with a legal obligation to which the controller is subject”), We will use the Personal Data for purposes that include but are not limited to:

  • Maintaining Our business records and accounts;
  • Meeting Our obligations to HMRC;
  • Preventing or detecting a crime, fraud or misuse of our services, and investigating where We believe any of these have or may have occurred;
  • Meeting Our obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and the London Local Authorities Act 2007;

In compliance with GDPR Article 6 (“the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes”), if You have given and not withdrawn consent We may use the Personal Data for these purposes:

  • to provide You with information about Our other services, offers or products that You may be interested in; and
  • to provide You with information about third party services, offers or products that You may be interested in.

Whilst storing your data we will use Appropriate Technical and Organisational Measures to keep Personal Data secure and to prevent it being accidently lost, accessed or used in an unauthorised way, altered or disclosed. We will make reasonable efforts to ensure the data is accurate and up-to-date and will undertake to rectify any inaccuracies of which We become aware without delay. All Personal Data we store is stored in the European Economic Area.

We may monitor and record Your phone conversations with Us and use this information for training and quality purposes, to ensure any verbal instructions You give Us are properly understood, to enable Us to investigate complaints, and to meet Our legal and regulatory obligations. All recordings are encrypted and securely stored shortly after completion of the phone call and access to recordings is controlled and monitored.

We may share information with third parties:

  • In response to properly made requests from law enforcement agencies for the prevention and/or detection of a crime, for the purpose of safeguarding national security or when the law requires Us to, such as in response to a court order or other lawful demand or powers contained in legislation;
  • in response to properly made requests from regulatory bodies such as the Information Commissioner’s Office and Ofcom;
  • as part of the process of selling Our business;
  • as part of current or future legal proceedings; and
  • with a company who is assisting us in providing services to You or who provides services to us which enable Us to provide our services to You, examples of such services being billing and financial systems, telecommunications services and customer management systems. Where we use companies for this purpose we have contracts in place to ensure they remain GDPR compliant with your data.

Some of the organisations with whom we may share information may be outside the European Economic Area in countries that do not always have the same data protection laws as the UK. However, We will have contracts in place with them to ensure that Your information is adequately protected and We will remain bound by our obligations even when your personal information is processed outside the European Economic Area.

Where any data breach is identIfied that affects the information that We hold about or have processed from you, We will take urgent action in accordance with the GDPR and guidance issued from the Information Commissioner’s Office. If You identify any data breach that affects data We have passed to You, You must notify Us in writing immediately and provide full information about the data affected by this breach.

The time period that We will keep information for will vary depending on what the information is used for. Unless there is a specific legal requirement to the contrary, We will keep information in a form which permits identification of Data Subjects only for as long as it is necessary for the purposes for which We process it. Once the requirement to hold the data is complete, appropriate measures will be taken to delete the data in line with the terms of the GDPR. Any physical paper documents which enter Our possession and are no longer required will be destroyed by an ISO 27001 and NAID accredited data destruction organisation.

Automated decision making based on Personal Data is not used in Our business.

Cookies are tiny files of letters and numbers that are stored by Your web browser, either temporarily within your device’s memory or more permanently on Your device’s storage. We use analytical and tracking cookies on Our main website as a result of using services supplied by Bing and Google. These cookies contain data including but not limited to: details of the operating system, browser and IP address of the device used to visit the website, the time and duration of the visit and which parts of Our website were visited. They allow Us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. These cookies are stored on Your device’s storage or

Data subject access request

Under the GDPR, a Data Subject has the right to request a record of the data held about him/her. To do this a request should be submitted in writing to the Practice Manager, Oncotrust Ltd. We may ask the Data Subject to provide Us with proof of identity to make sure We are giving information to the right person.

Other rights of Data Subject

The GDPR gives Data Subjects a number of other rights including the right to request the correction or erasure of Personal Data, the right to request the restriction of processing of Personal Data, the right to request the transfer of Personal Data (to the Data Subjector a third party), and the right to withdraw Your consent to the processing at any time where consent is the lawful basis for processing.


Please note that the ways in which we collect, use and protect Personal Data will be reviewed periodically and may change from time to time. We will notify you by email should such changes occur.

Contact Us

If you have any questions about privacy issues, want Us to update Your marketing preferences, or amend information, please contact Us either by email at or by post at Oncotrust Ltd.


In the first instance, please contact Us using the details above. If this does not resolve your complaint to your satisfaction, You have the right to complain to the Information Commissioner about the way in which we collect and use Your personal Data. Email or telephone 0303 123 1113 or write to ICO, 100 College Road, Harrow, HA1 1BQ.

We are registered with the ICO reference number.

I agree to the collection and processing of my data in accordance with the terms and conditions detailed above.

Any other information you would like to add……………………………

Signed: ……………………………………………..……………………...

(Patient’s signature) Date: ……………………………………………...