Back to homeLegal

Privacy Notice

1. Introduction

PortsMed Ltd (“PortsMed”, “we”, “us” or “our”) provides clinical care and diagnostic services, as well as operating and managing clinical premises from which healthcare services are delivered.

We are committed to protecting personal data and handling it lawfully, transparently and securely, in accordance with:

  • the UK General Data Protection Regulation (UK GDPR)
  • the Data Protection Act 2018
  • the Privacy and Electronic Communications Regulations (PECR)
  • NHS Data Security and Protection Toolkit (DSPT) requirements
  • NHS Records Management Code of Practice

This Privacy Notice explains how we collect, use, store and share personal data when you:

  • receive clinical care or diagnostic services from PortsMed
  • are referred to PortsMed by another healthcare provider
  • receive healthcare services at our premises
  • visit our website
  • contact or communicate with us
  • attend our premises as a patient, visitor or accompanying person
  • are a tenant clinician or healthcare organisation working from our premises

2. Who We Are (Data Controller)

PortsMed Ltd
122–124 London Road
North End
Portsmouth
PO2 9DD
United Kingdom

Email: info@portsmed.co.uk

For the purposes of UK GDPR, PortsMed Ltd is a data controller of personal data processed in connection with its clinical services, diagnostics, premises management and associated activities.

Where healthcare services are provided by tenant clinicians or organisations, data controller responsibilities may be shared or separate, as explained below.

3. Personal Data We Process

3.1 Personal Data for Clinical Care and Diagnostics

When you receive clinical care or diagnostic services from PortsMed, we may process:

  • Name, address, date of birth, NHS number (where applicable)
  • Contact details
  • Referral information
  • Medical history relevant to your care
  • Diagnostic results and clinical records
  • Appointment and attendance details

This information is classed as special category data (health data) under UK GDPR.

3.2 Personal Data Received via Referrals

PortsMed may receive personal data from:

  • NHS organisations
  • private healthcare providers
  • occupational health providers
  • diagnostic and referral management services

Referral information may include identifiers and relevant clinical data necessary to provide safe and effective care.

In these circumstances, PortsMed acts as a data controller for the care and diagnostics it provides following referral.

3.3 Personal Data Processed for Premises and Reception Management

PortsMed operates reception and facilities that support patients attending services on site.

We may process limited personal data for purposes such as:

  • confirming patient arrival
  • directing patients to the correct service or clinician
  • maintaining site security and safety

This may include:

  • patient name
  • appointment time and service attended
  • clinician or department

PortsMed does not access or process clinical records belonging to tenant clinicians unless legally required or explicitly authorised under a data sharing agreement.

3.4 Tenant Clinicians and Third Party Healthcare Providers

Healthcare professionals and organisations renting or operating from PortsMed premises (“tenants”) are typically independent data controllers for their own patients’ clinical records.

Depending on the circumstances:

  • PortsMed may be a separate controller for premises and reception data
  • PortsMed and a tenant may act as joint controllers, where responsibilities overlap
  • PortsMed may act as a data processor for limited administrative functions

These roles are governed by appropriate contractual arrangements.

3.5 Other Personal Data

We may also process:

  • enquiry and correspondence information
  • account and billing information
  • visitor and security records
  • website usage data (see Cookies)

4. Lawful Bases for Processing

4.1 Article 6 UK GDPR

We process personal data under one or more of the following lawful bases:

  • Performance of a contract — providing clinical care, diagnostics and related services
  • Legal obligation — compliance with healthcare, safeguarding, regulatory and tax requirements
  • Legitimate interests — operating safe premises, service improvement, fraud prevention
  • Consent — marketing communications, where required

4.2 Article 9 UK GDPR (Health Data)

Health data is processed under:

  • Article 9(2)(h) — provision of health or social care or treatment
  • Article 9(2)(g) — substantial public interest (where applicable)
  • Explicit consent, where required by law

5. How We Use Personal Data

We use personal data to:

  • provide safe and effective clinical care and diagnostics
  • receive and manage referrals
  • communicate with patients about appointments, results and care
  • manage reception, arrivals and premises
  • comply with clinical governance and legal obligations
  • maintain records in line with NHS guidance
  • improve our services
  • ensure security and safety

Data minimisation principles are applied at all times.

6. NHS Compliance and Records Management

PortsMed aligns its data protection practices with:

  • NHS Data Security and Protection Toolkit standards
  • NHS Records Management Code of Practice

This includes:

  • role based access controls
  • staff confidentiality training
  • secure handling, storage and disposal of records
  • audit trails and accountability
  • incident and data breach reporting procedures

Clinical records are retained in accordance with NHS retention schedules and statutory requirements.

7. Data Sharing

We may share personal data with:

  • NHS bodies and healthcare providers involved in your care
  • diagnostic and laboratory services
  • IT system providers and clinical systems suppliers
  • regulators and statutory authorities
  • professional advisers

All data sharing takes place under lawful bases and appropriate safeguards.

We do not sell personal data.

8. International Transfers

Where personal data is processed outside the UK, appropriate safeguards are used, including:

  • UK Standard Contractual Clauses
  • adequacy regulations

9. Data Retention

Personal data is retained only as long as necessary:

  • Clinical records — in line with NHS Records Management Code of Practice
  • Diagnostic records — per statutory and clinical governance requirements
  • Reception and operational records — short term operational retention
  • Financial records — typically 6–7 years
  • Marketing data — until consent is withdrawn

10. Cookies

Our website uses a small number of cookies. We do not use any advertising, marketing or analytics cookies.

10.1 Strictly necessary cookies

We set one first-party cookie, named portsmed_session. It is used solely to keep authorised staff signed in to the administrative area of the website. It is not set for general visitors to the site. The cookie is HttpOnly, Secure, SameSite=Lax and expires when the session ends.

10.2 Third-party cookies from embedded services

The Contact section of our homepage includes an embedded Google Maps frame so visitors can see our location. When this frame loads, Google may set its own cookies against google.com under Google’s own privacy policy. We do not control these cookies and do not receive any data from them.

10.3 Payments

Payments for appointments are processed by SumUp, our payment provider. When you pay, you are redirected to SumUp’s own secure payment pages (hosted on SumUp’s domain). Any cookies set during the payment process are set by SumUp under their privacy policy, not by PortsMed. We do not see or store your full card details.

10.4 Managing cookies

You can control or delete cookies through your browser settings. Blocking strictly necessary cookies may prevent staff from accessing the administrative area but will not affect your use of the public website.

11. Children’s Data

We provide healthcare services to children where clinically appropriate and lawful.

Personal data relating to children is handled with enhanced safeguards and in accordance with healthcare and safeguarding requirements.

12. Automated Decision Making

PortsMed does not use personal data for automated decision making or profiling that produces legal or similarly significant effects.

13. Your Rights

Under UK GDPR, you have the right to:

  • access your personal data
  • rectification
  • erasure (where applicable)
  • restriction of processing
  • data portability
  • objection to processing
  • withdraw consent

Some rights may be limited where processing is required for medical, legal or public interest purposes.

Requests can be made using the contact details above.

14. Complaints

If you have concerns, please contact us first.

You may also complain to the Information Commissioner’s Office (ICO):

Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Telephone: 0303 123 1113
Website: https://ico.org.uk

15. Updates to This Notice

This Privacy Notice may be updated from time to time.

The most current version will always be available on our website.

© 2026, PortsMed. All rights reserved.