ODSTOCK MEDICAL LIMITED
At Odstock Medical Limited (OML), we are committed to protecting and respecting individuals’ privacy. This privacy notice explains what personal information we collect about you, how and why we process (collect, store, use and share) your personal information, your rights in relation to your personal information and how to contact us or make a complaint.
When we process your personal information we are regulated under the UK GDPR, as enacted by the European Union (Withdrawal) Act 2018, and UK Data Protection Act 2018, among others. We are responsible as ‘controller’ of personal information for the purposes of those laws and our Data Protection Registration number is: Z2749138.
By ‘personal information’, we mean information which relates to you as an individual and tells us something about you.
1. The personal information we collect and use
The personal information we collect, and the use we make of it, varies depending on our relationship with you. For that reason, this privacy notice distinguishes between our patients, funders, distributors, suppliers and job applicants. Please be sure to read the sections of the privacy notice which relate to you.
2. Patients 
2.1. Personal information we collect about you
- Name, date of birth/age, gender, contact details (fax, telephone, mobile telephone, email, address), who you live with and your next of kin;
- Health information (including photographs and videos) and NHS number;
- Your GP, consultant, clinician contact or other healthcare professional;
- Financial information.
Some of this information may be provided by your GP, consultant, clinician contact or other healthcare professional.
2.2. How we use your personal information
We use this information:
- to receive information about you from your GP, consultant, clinician contact, or other healthcare professional;
- to identify and communicate with you or your next of kin should this be necessary;
- to assess your medical needs and the correct treatment and/or product for you;
- to provide you with treatment or products;
- to process your payment for treatment or products and process expense claims of volunteers
- to keep you informed of our treatments and products;
- to provide clinical education (using volunteers’ information only); and
- to obtain your feedback on our service, treatment and products and your input into product development.
2.3. Who we share your personal information with
Generally, we will not share your information with anyone outside OML except as follows:
- your GP, consultant, other health professional, case manager or lawyer;
- NHS Clinical Commissioning Groups;
- NHS Shared Business Services which receives invoices on behalf of the commissioning group;
- our Outreach service providers and clinicians;
- law enforcement or other authorities if required by applicable law.
We will not transfer any patient information outside the UK.
2.4. Whether information has to be provided by you, and if so why
The provision of your personal information is necessary to enable us to provide you with appropriate treatment and products. We cannot help you without it.
2.5. How long we keep your personal information for
We keep your personal information for no longer than necessary for the purposes for which it was collected and in accordance with our Records Retention Policy which is available on request. We also adhere to the NHS Records Management Code of Practice 2021 wherever possible.
2.6. The legal basis on which we collect and use your personal information
We process your personal information on several legal bases, namely:
- Article 6(1)(a) that you have consented to the processing, for example, use of a photograph of you in our marketing material.
- Article 6(1)(b) that it is necessary for the performance of our contract with you or to take steps at your request prior to entering into a contract;
- Article 6(1)(c) that it is necessary for us to comply with a legal obligation, for example, holding your VAT exemption forms which may be required by HMRC;
- Article 6(1)(e) that it is necessary for the performance of a public task, namely the provision of healthcare services;
- Article 6(1)(f) that it serves our and your legitimate interests, for example, to keep you informed of our treatments and products, to provide clinical education and to obtain your feedback on our service, treatment and products and input into product development. We believe that you would reasonably expect this, and that it does not materially impact your rights, freedoms or interests;
3. Purchasers, funders, suppliers and distributors 
3.1. Personal information we collect about you
- Name, contact details (fax, telephone, mobile telephone, email and address), employer organisation, and job title. Some of this information may be obtained directly from your employer or via its website.
- HCPC registration (for private clinicians);
- Your bank details, tax or VAT number.
3.2. How we use your personal information
We use this information to:
- communicate with you or your employer organisation;
- administer our accounts with you regarding:
- the provision of goods and services to us (in the case of suppliers);
- the provision of funding for treatment or product purchase (in the case of funding organisations);
- overseas product sales (in the case of our distributors); and
- to ensure our patients receive high quality care.
3.3. Who we share your personal information with
Generally, we will not share your information with anyone except our employees or your employer organisation.
We will not transfer your personal information outside the UK.
However, we will share personal information with law enforcement or other authorities if required by applicable law.
3.4. Whether information has to be provided by you, and if so why
The provision of your contact information is necessary for the performance of our contracts with you or prior to entering into a contract. The provision of your financial information is necessary to facilitate payments between us. Your HCPC registration is necessary to ensure our patients receive high quality care. We cannot do any of these things without this personal information.
3.5. How long we keep your personal information for
Generally, we keep your personal information for seven years after the end of our contract with you or your employer or, if later, seven years after our respective legal and contractual obligations end. In some circumstances we keep your personal information for a shorter or longer period as required by our Records Disposal Policy which is available on request.
3.6. The legal basis on which we collect and use your personal information
We process your personal information:
- Article 6(1)(b) on the basis of that it is necessary to comply with our contractual obligations with you or in order to take steps at your request prior to entering into a contract; and
- Article 6(1)(f) where it serves our and your legitimate interests in a way that you would reasonably expect and which does not materially impact your rights, freedoms or interests.
4. Job applicants
4.1. Personal information we collect about you
We collect the following information from you:
- Your name, contact details (fax, telephone, mobile telephone, email and address);
- Details contained in your curriculum vitae, qualifications and references;
- Other personal information provided by you.
We also check whether you have a criminal record with the Disclosure and Barring Service.
4.2. How we use your personal information
We use your personal information to assess your suitability for a job and contact you in relation to that job.
4.3. Who we share your personal information with
When necessary, we will share your personal information with your employment agency.
Generally, we will not share your information with anyone outside OML or outside the UK.
However, we will share personal information with law enforcement or other authorities if required by applicable law.
4.4. Whether information has to be provided by you, and if so why
The provision of your name, contact details, CV, qualifications and references are necessary for us to assess your suitability for the particular job. We cannot do this without this personal information. We will inform you if the provision of any additional information is mandatory.
4.5. How long we keep your personal information for
We will keep your personal information for 6 months from the date of rejection for a job role or, if you are accepted for a job role, in accordance with our Privacy Notice for Staff.
4.6. The legal basis on which we collect and use your personal information
We process your personal information on the basis of Article 6(1)(a) consent when applying for positions and Article 6(1)(f) our and your legitimate interests in assessing your job application as you would reasonably expect and without materially impacting your rights, freedom or interests.
5.1 CCTV: The security of our premises is managed by Salisbury NHS Foundation Trust (SFT), including the use of CCTV images. If you visit our premises then you will likely be recorded by the cameras operated by SFT. If you would like further information about the purposes of the cameras, how the footage is processed, including the retention period, or would like to request copies of the footage then please contact the SFT Data Protection Officer at firstname.lastname@example.org.
5.2 Mailchimp: We use Mailchimp to send surveys and requests for feedback. The contact details used when sending communications are collected and processed under Article 6(1)(a) Consent or Article 6(1)(f) legitimate interests. Mailchimp is hosted in the US and we have signed a Data Processing Addendum with the company to ensure that they meet the strict EU/UK Standard Contractual Clauses. This will not affect any of your rights under the GDPR or Data Protection Act 2018.
5.3 Contacting us: In order to respond to your communications we will need to process your information. Examples of this will be to process the feedback you provide to us on the website, or to process your requests for a brochure. Information collected and processed will be used in accordance with the Data Protection Principles and any data collected will not be excessive and will not be used for any other purpose other than what is identified in your correspondence to us.
5.4 Communications: We will send communications when there are training opportunities or to make information available about our products. Whenever we send communications we will follow the NHSx Direct Marketing guidance. If you have consented to receive marketing emails from us then you will be able to opt out of these messages at any time.
6. Your rights
6.1. Under data protection laws you have a number of important rights free of charge. In summary, those include the right to:
- access to your personal information and to certain other supplementary information that this Privacy Notice is already designed to address;
- erasure of personal information concerning you in certain situations;
- receive the personal information concerning you which you have provided to us in a structured, commonly used and machine-readable format, for example, on a disk, electronic file or paper and have the right to transmit that information to a third party in certain situations;
- object at any time to processing of personal information concerning you for direct marketing;
- object in certain other situations to our continued processing of your personal information; and
- otherwise restrict our processing of your personal information in certain circumstances.
6.2. For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the UK General Data Protection Regulation. A brief summary can be found here:
6.3. If you would like to exercise any of those rights, please:
- email us at email@example.com;
- let us have enough information to identify you;
- let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
- let us know the information to which your request relates.
6.4. If you would like to unsubscribe from any marketing material you receive from us you can do so by contacting us at firstname.lastname@example.org. It may take up to five working days for this to take place.
7. Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected information security breach. We will notify you and any applicable regulator of a suspected information security breach where we are legally required to do so.
8.1 Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
8.2 These cookies are used to collect information about how visitors use our website. We use the information to compile reports and to help us improve the website. The cookies collect information in an anonymous form, including the number of visitors to the website and blog, where visitors have come to the website from and the pages they visited.
9. How do I change my cookie settings?
9.1 You will be asked for your cookies preferences when you first enter the website. This is an opt-in process.
9.2 In addition, most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set, visit www.aboutcookies.org or www.allaboutcookies.org.
9.3 To find out how to manage cookies on your browser, such as: Google Chrome; Microsoft Edge; Mozilla Firefox; Microsoft Internet Explorer; Opera and Apple Safari, you can visit the browser developer’s website.
9.4 To opt out of being tracked by Google Analytics across all websites, visit: http://tools.google.com/dlpage/gaoptout.
10. How to complain
We hope that we can resolve any query or concern you raise about our use of your information.
Our Data Protection Officer is provided by Stabe Ltd and they can be contacted at email@example.com. Stabe Ltd are registered with the ICO and their data protection registration number is: ZA711965.
You also have the right to complain to the UK Information Commissioner, who may be contacted at https://ico.org.uk/concerns/ or by telephone on: 0303 123 1113. If you live or work elsewhere in the EU or EEA, you can also complain to your local supervisory authority.
11. Changes to this privacy notice
We may change this privacy notice from time to time. The up-to-date version will be on our website at www.odstockmedical.com
12. How to contact us
Please contact us if you have any questions about this privacy notice or the information we hold about you.
If you wish to contact us, please send an email to firstname.lastname@example.org or write to Odstock Medical Limited, The National Clinical FES Centre, Salisbury District Hospital, Salisbury, Wiltshire, SP2 8BJ.