Aspen Med GDPR Privacy Notice

Privacy Policy – Aspen Med Patient Portal (Function 365)

Last updated: 17 December 2025

This Privacy Policy explains how Aspen Med Ltd ("Aspen Med", "we", "us", "our") collects, uses, stores, and protects personal data when you use the Aspen Med Patient Portal operated on the Function 365 platform.

This policy is specific to medical and health-related data and is intended to comply with:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • Common law duty of confidentiality

  • NHS and professional medical record-keeping standards (where applicable)



1. Who We Are

Legal entity: Aspen Med Ltd
Registered address: 2 Claridge Court, Lower Kings Road, Berkhamsted, HP4 2AF, England
Email: dpo@aspenmed.net

Aspen Med Ltd provides private medical services primarily in Scotland and across the United Kingdom. Although the company is registered in England, health data processing follows UK-wide data protection law.

Depending on the context, Aspen Med Ltd acts as:

  • Data Controller for patient medical records and clinical services

  • Joint Data Controller with clinical partners where care is shared

  • Data Controller for portal user accounts and administrative data

Function 365 acts as a Data Processor on our behalf for the Patient Portal infrastructure.



2. Types of Personal Data We Collect

2.1 Identity and Contact Data

  • Name, date of birth, gender

  • Address, email address, telephone number

  • Emergency contact details

  • NHS number (where provided)

2.2 Demographic and Equality Data (where relevant)

  • Ethnicity

  • Nationality or country of birth (where clinically relevant)

  • Preferred language and communication needs

This information may be collected where it is relevant to medical assessment, risk stratification, diagnostic interpretation, or to meet equality, safety, and access requirements. Provision of this data is generally optional unless clinically necessary.

2.3 Medical and Special Category Data

This may include:

  • Medical history, diagnoses, symptoms, examination findings

  • Laboratory results, imaging reports, and other investigations

  • Treatment plans, prescriptions, referrals, and correspondence

  • Sexual health, reproductive health, hormonal data, fertility data

  • Lifestyle, psychosocial, and wellbeing information where clinically relevant

Medical data, including genetic and biometric data where applicable, is classified as special category data under UK GDPR.

2.4 Administrative and Financial Data

  • Appointment records

  • Invoices and payment status (note: payment card data is processed by third-party payment providers, not stored by Aspen Med)

2.5 Technical and Usage Data

  • Portal login activity

  • Device and browser information

  • Audit logs required for clinical governance and security



3. Lawful Bases for Processing

We process personal and medical data under the following lawful bases:

3.1 Provision of Medical Care

  • Article 6(1)(b) – performance of a contract (medical services)

  • Article 6(1)(c) – legal and regulatory obligations

  • Article 9(2)(h) – provision of health or social care

3.2 Clinical Governance and Safety

  • Article 6(1)(c) – compliance with legal obligations

  • Article 9(2)(h) – medical diagnosis and treatment

3.3 Consent (where applicable)

Certain activities (e.g. newsletters, optional research participation) rely on explicit consent, which may be withdrawn at any time.



4. How We Use Your Data

We use your data to:

  • Provide safe, effective, and personalised medical care

  • Maintain accurate medical records

  • Communicate with you regarding appointments, results, and care

  • Meet professional, legal, and regulatory obligations

  • Support clinical audit, quality improvement, and service development

Where data is used for analysis or research, it will be anonymised or pseudonymised wherever possible.



5. Data Sharing

We may share your data with:

  • Laboratories, imaging providers, and diagnostic services

  • Other healthcare professionals involved in your care

  • Members of a multidisciplinary care team involved in your treatment (including medical, nursing, allied health, and wellbeing professionals)

  • Regulated clinical partners working under shared care arrangements

  • External healthcare providers or specialists to whom you are referred

  • Insurance providers where required for authorisation, billing, or reimbursement purposes

  • Professional indemnity providers, regulators, or authorities where legally required

  • IT service providers (including Function 365) acting under strict data processing agreements

Data shared with insurance providers is limited to what is necessary for administrative, billing, and reimbursement purposes and does not extend beyond what is required for those processes.

We do not sell patient data.



6. Data Storage and Security

  • Patient data is stored on secure servers located in the United Kingdom or approved jurisdictions

  • All systems used comply with industry-standard security measures including encryption, access controls, and audit logging

  • Access to medical records is restricted to authorised healthcare professionals

Where data is transferred outside the UK or European Economic Area, appropriate safeguards (such as UK adequacy regulations or standard contractual clauses) are applied.



7. Use of Data for Research, Audit, and Service Development

Aspen Med is committed to advancing medical knowledge, improving patient care, and developing innovative healthcare services through re