This policy sets out our Privacy Policy and defines data processing of patient medical records in accordance with General Data Protection Regulations. The policy explains why personal and medical information is collected, and how that information may be used.

How we use your personal information
The policy explains why personal and medical information is collected, and how that information may be used to provide:

  1. The best possible healthcare.
  2. Medicolegal reports following instructions from solicitors and/or barristers
  3. Consultancy services to third parties

This policy applies to all staff employed by Cambridge Medicolegal Limited.

Business details of Data Processor/Controller
Cambridge Medicolegal Ltd is a company registered in England and Wales under company number 08442653 and with a registered office at 10 Jesus Lane, Cambridge, England, CB5 8BA

Privacy Policy

Data Controller or Processor

  1. When providing diagnostic & treatment services for GP-referred or self-referred patients with breast disease, Cambridge Medicolegal meets the legal definition of a Data Controller.
  2. When acting under instruction from Solicitors, Cambridge Medicolegal meets the legal definition of a Data Processor.
  3. When providing consultancy services, Cambridge Medicolegal meets the legal definition of a data Processor

Collecting personal information
We may collect, store and use the following kinds of personal information:

  1. Name, date of birth, address, contact details, legal representative
  2. Details of consultations, appointments, written and telephone communications
  3. Medical records related to a patient’s health
  4. Medical records related to diagnosis and treatment
  5. Results of investigations including laboratory tests, x-rays and pathology results
  6. Relevant information from other health professionals
  7. Instructions from solicitors that contain previous medical history and medical records.

Before any third party discloses to us the personal information of another person, that person’s consent to both the disclosure and the processing of that personal information must be obtained in accordance with this policy.

Using personal information
Personal information submitted to us through our website ( , phone calls, emails or in person will be used for the purposes specified in this policy.

We may use this personal information to:

  1. Provide patients with the best possible healthcare, specifically for the diagnosis and treatment of breast disease.
  2. Provide medicolegal reports for patients pursuing clinical negligence claims following instructions from solicitors and/or barristers
  3. Provide consultancy services for companies and/or third parties.

Disclosing personal information
We may disclose your personal information to any of our employees, other healthcare professionals, solicitors or medical authorities insofar as reasonably necessary for the purposes set out in this policy and in the delivery of our services.

International data transfers
All data is stored within the EEA. All external parties with whom we may share data are based in the EEA. Any data we collect from data subjects outside the EEA may be stored & processed within the EEA and the country of residence of the data subject and where there is a legal premise to do so.

Your explicit consent to the transfers of personal information described in this section will be recorded if applicable.

Retaining personal information
This section sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal information.

Personal information that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Without prejudice to other obligations set out in this contract or legal obligations, we will usually delete personal data falling within the categories set out below at the date/time set out below:

  1. Personal & sensitive data of a medical nature will be deleted securely 7 years after patient discharge or last seen for the purpose of private practice patients;
  2. Personal & sensitive data related to medicolegal reports will be deleted immediately and securely after notification that a case has closed, or when no further communication has been received from the solicitor for a period of three years.
  3. When a patient ask us to erase data compliant with GDPR Article 17;

Notwithstanding the other provisions of this contract, we will retain medical documents & records containing personal data:

  1. To the extent that we are required to do so by law.
  2. If we believe that the documents may be relevant to any ongoing or prospective legal proceedings.
  3. In order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk).

The retention periods are based on the potential timelines for prospective legal proceedings related to clinical negligence cases in the UK.

Security of personal information
We will take reasonable technical and organizational precautions to prevent the loss, misuse or alteration of your personal information.
We will store all the personal information you provide on our secure (password- and firewall-protected) servers or locked filing cabinets.
All communications via electronic documents and database records will be protected by encryption technology.
You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.

We may update this policy from time to time by publishing a new version on our website ( .
You should check this page occasionally to ensure you are happy with any changes to this policy.
Please let us know if the personal information that we hold about you needs to be corrected or updated.

Your rights
You may instruct us to provide you with any personal information we hold about you; provision of such information will be subject to:

  1. There is no payment required; and
  2. The supply of appropriate evidence of your identity for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address.
  3. We may withhold personal information that you request to the extent permitted by law.
  4. You may instruct us at any time not to process your personal information as permitted by law.
  5. You can instruct us to erase your data, compliant to GDPR Article 17.
  6. You have the right to lodge a complaint with the Data Protection Authority, if you consider your rights have been breached in anyway.

Note: The UK Data Protection Authority can be contacted on the following link:

We are regulated by the UK Information Commissioner’s Office (Reference No: ZA387076).

Our details
You can contact us:

By telephone, on the contact number published on our website ( ; or
By email, using the email address published on our website (,uk).