Book a Blood Test Contact Us
Origin HRT Female Health Clinic
Origin TRT Origin Bloods

Privacy Policy

Data protection and privacy notice

How We Use Your Information

The General Data Protection Regulation (GDPR) seeks to protect and enhance the rights of patients and individuals. These rights cover the safeguarding of personal data and protection against the unlawful processing of personal data.

Origin Health Care Group Ltd (Company No. 16914475), trading as Origin HRT, operates in partnership with SJLD Ltd (Company No. 13138487), trading as Urban Health Care, which is registered with and regulated by the Care Quality Commission (CQC).

1

Organisation and Governance

Origin Health Care Group Ltd (Company No. 16914475), trading as Origin HRT, operates in partnership with SJLD Ltd (Company No. 13138487), trading as Urban Health Care, which is registered with and regulated by the Care Quality Commission (CQC).

  • CQC Location ID: 1-11736605080
  • CQC Provider ID: 1-10993862536

The Data Controller at our clinic is SJLD Ltd trading as Urban Health Care, which is also registered with the Information Commissioner’s Office (ICO).

The Data Protection Officer (DPO) is Timothy Liggins, who ensures that the clinic complies with data protection requirements and that personal data is collected, used, stored, and disposed of responsibly.

The Information Governance (IG) Lead is Timothy Liggins, who maintains a robust Information Governance Management Framework for the current and future management of information and compliance with relevant legislation.

2

About This Privacy Notice

This privacy notice explains the type of personal information we hold, why we hold it, and how it is used.

In providing your medical care and treatment, we will ask for information about you and your health. We may also receive information about you from other healthcare providers who have been involved in your care.

We do not share your personal information with third parties unless we have a contract in place for them to process data on our behalf, or unless we are legally required to do so.

Where referrals to other healthcare providers are necessary, your consent will be obtained before any personal data is shared.

We only collect and use personal information for specific lawful purposes. Below, we explain the categories of data we hold, why we hold them, and the lawful basis for processing.

3

Categories of Data

The clinic processes personal data and special category data, including:

  • Patient health records, correspondence, and personal details
  • Staff employment records, including health information and criminal record checks
  • Personal data used for marketing purposes
  • Personal data relating to contractors
  • Limited payment-related data, such as transaction references, payment status, and billing information associated with monthly subscriptions or one-time purchases. Card and bank details are processed securely by third-party payment service providers and are not stored by the clinic.
4

Lawful Basis for Processing Your Data

Processing includes collecting, storing, updating, and archiving data. We process personal and special category data on the following lawful bases:

  • Patient data: processed to provide safe and effective healthcare and treatment, and where necessary in our legitimate interests and in accordance with healthcare obligations under data protection law
  • Staff data: processed to meet legal obligations under employment, taxation, and pensions legislation
  • Contractor data: processed to fulfil contractual obligations

Examples of Data Processed

Your contact details, such as name, date of birth, address, telephone number, and email address, are used to manage appointments, send reminders, and support continuity of care.

Financial information relating to fees and payments is processed to fulfil contractual and legal financial obligations.

Health records, which are special category data, include clinical records, treatment plans, medical history, clinical notes, correspondence, appointment details, and complaints relating to your care.

5

Sharing Your Information

Your information is normally accessed only by those working within the clinic.

Where necessary, information may be shared on a strict need-to-know basis with:

  • Other healthcare professionals involved in your care, such as specialists or your GP
  • IT and clinical software providers for secure data hosting and backup
  • Accountants, occupational health providers, and government agencies such as HMRC where legally required

All recipients of data are legally required to maintain confidentiality.

Information will not be disclosed without consent unless required by law or where there is a serious risk to health or safety.

6

Use of Clinical Management Software (Zanda Health)

We use Zanda Health, a clinical practice management system, to securely manage patient records, appointments, correspondence, and clinical documentation.

Zanda Health acts as a data processor on our behalf and processes personal and special category health data strictly in accordance with our instructions and applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data stored within Zanda Health is protected by technical and organisational security measures, including access controls, secure hosting, audit functionality, and routine security safeguards.

Access is restricted to authorised clinic staff only.

7

How We Keep Your Data Secure

Personal and special category data is stored securely on our clinical systems.

Access is limited to authorised staff who are trained in data protection and confidentiality obligations.

Systems are protected by access controls, audit trails, and routine backups. Information Governance procedures support ongoing data security and compliance.

8

Retention of Data

Patient records are retained for as long as we are providing care or recall services. In line with Department of Health guidance, medical records may be retained for up to 30 years where appropriate.

Employment records are retained for six years after employment ends, or longer where legally required.

Contractor data is retained for seven years after contract completion.

9

Website Use, Cookies and Analytics

When you visit our website, limited personal data may be collected through the use of cookies and similar technologies. This may include your IP address, device information, browser type, and information about how you use the website.

We may use analytics tools, including Rank Math Analytics and Google Analytics, to help us understand how visitors interact with our website and to improve its performance and content.

Analytics cookies are not strictly necessary and are only placed on your device with your consent, which can be given or withdrawn at any time via our cookie consent banner.

For full details about the cookies we use and how you can manage your preferences, please refer to our Cookie Policy.

10

Your Rights

You have the right to:

  • Be informed about how your data is used
  • Access the information we hold about you
  • Request correction of inaccurate data
  • Request erasure of certain non-clinical data, although clinical records cannot usually be erased
  • Request transfer of your data to another provider
  • Object to certain uses of your data, such as marketing communications

Requests should be made in writing to Timothy Liggins, Data Protection Officer, at rm@urbanhealthcare.co.uk.

Identity verification may be required. Requests will be responded to within 30 days.

11

Concerns About Data Use

If you have concerns about how your data is used, please discuss them with your clinician or healthcare professional, or contact the Data Protection Officer.

If concerns cannot be resolved and you remain dissatisfied, you may raise a complaint with the Information Commissioner’s Office (ICO) via www.ico.org.uk or by calling 0303 123 1113.