Privacy Notice

Last updated: January 2026

1. INTRODUCTION

At OneAdvanced, we are committed to protecting your personal data and privacy. This Patient Services Privacy Notice explains how the OneAdvanced Group processes your personal data. We are committed to protecting your privacy rights and freedoms regarding your personal data in accordance with the UK GDPR, and other applicable data protection laws including the Data (Use and Access) Act 2025, which governs information standards for health and social care systems. This notice describes how we collect, store, use, and share personal information, and explains your rights in relation to the personal information we hold about you. This notice applies to all users of the Patient Services system.

This notice is subject to regular review and update to ensure continued compliance with evolving data protection requirements and organisational changes.

2. WHO WE ARE

When we say "we", "us" or "OA" in this Privacy Notice, we're referring to OneAdvanced Limited, a company registered in England and Wales (registration number 05965280) with its registered office at The Mailbox Level 3, 101 Wharfside Street, Birmingham, United Kingdom, B1 1RF.

For a full list of OneAdvanced legal entities, please visit our website here.

3. DEFINITIONS

Data Controllers - as defined under UK GDPR, Data Controllers determine the process and means of processing personal data.

Data Processors - as defined under UK GDPR, Data Processors process personal data on behalf of the Data Controllers.

Personal Data - as defined under UK GDPR, relates to the identified or identifiable nature (living) person.

Data Processing - as defined under UK GDPR, any operation or set of operations performed on personal data.

UK GDPR - UK General Data Protection Regulation as incorporated into UK law.

4. DATA CONTROLLER AND PROCESSOR RELATIONSHIP

OneAdvanced acts as the Data Processor on behalf of participating NHS healthcare services who are the Data Controllers and are responsible for determining the purposes and means of processing your personal data. Our data processing relationship is governed by formal Data Processing Agreements (DPAs) established with each NHS Trust/ICB or other healthcare provider, which set out the specific terms, conditions, and safeguards for processing patient data.

We maintain compliance with NHS Digital's Data Security and Protection Toolkit (DSPT) requirements, ensuring that our data processing activities meet the mandatory security standards required for organisations handling NHS patient data. This includes adherence to the National Data Guardian's data security standards and compliance with NHS-specific information governance frameworks.

We process your personal data strictly in accordance with:

Written instructions from the controlling healthcare service as documented in our DPAs.
Applicable UK data protection laws including UK GDPR and the Data Protection Act 2018.
NHS Records Management Code of Practice for Health and Social Care.
NHS Information Governance requirements and standards.
Clinical governance frameworks as specified by the controlling NHS organisation.

Our role as Data Processor is limited to processing personal data for the specific purposes outlined in the contractual arrangements with your healthcare provider. We do not determine the purposes of processing, nor do we process your data for any purposes beyond those explicitly instructed by the Data Controller.

All data processing activities are subject to regular audit and monitoring in accordance with NHS contractual requirements and our DSPT compliance obligations.

4.1 Using the site

By using this website you can view your personal healthcare related data held by your GP practice in your medical record.
If you have any concerns or questions about this information, or you think any of it is wrong, please contact your GP practice.
When using this site to update your personal information or contact your GP, please check carefully the information you enter and make sure it is correct.

4.2 Information we collect from you

Registration Data: When you register to use the Patient Services site, we collect the following data:

your username (the name you register to use the system with).
your full name (first and last).
your email address.
your date of birth.
your device IP address (unique address associated to your computer or mobile device).

Technical Information: The service uses standard web security measures to protect your connection. Like all websites, technical information such as your device's IP address may be temporarily processed by our hosting infrastructure to maintain security and prevent unauthorised access. This technical information is not stored, linked to your personal data, or used for any other purpose.

5. COOKIES AND SIMILAR TECHNOLOGIES

When the cookies are accepted, we gather information about your general internet usage by using a cookie file stored on the hard drive of your computer.

Cookies contain information that is transferred to your computer's hard drive that then allow us to improve the site and to deliver a better and more personalised service.

5.1 Specifically, cookies enable us to:

Estimate our audience size and usage pattern.
Store information about your preferences which allows us to customise the site according to your individual interests.
Speed up your searches and
Recognise you when you return to the site.

You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you select this setting, you may be unable to access certain parts of the site. You have to take the positive action of accepting the cookies as way of providing your consent.

6. LAWFUL BASIS FOR PROCESSING

Your healthcare provider (the Data Controller) is responsible for determining how and why your personal data is processed. They process your information under UK GDPR Article 6(1)(e) (public task - provision of healthcare services) and Article 9(2)(h) (health and social care purposes) and DPA 2018 Schedule 1, Part 1, paragraph 2 for health/social care purposes.

OneAdvanced acts as a Data Processor, processing your data only on behalf of and under the instructions of your healthcare provider. We do not make independent decisions about your data.

7. DATA STORAGE AND SECURITY

All information you provide to us is stored in UK-based, Tier 4 secure data centres.

We do not have access to or ask you to share any passwords, regardless of who has set them (you or the GP Practice).

You are responsible for keeping your password safe, so please never write it down or share it with anyone, even your GP practice.

Your data is protected during transmission to our site by using TLS 1.2 policies, which encrypts the information you provide. This meets current NHS England security standards for data in transit.

Once the data has been received, we add additional layers of protection via policies that include:

NHS-Specific Security Requirements:

Compliance with NHS England's Data Security and Protection Toolkit standards.
Implementation of the National Data Guardian's data security standards.
Regular security assessments aligned with NHS information governance frameworks.
Incident response procedures meeting NHS England requirements.
Staff security training and background checks appropriate for NHS data handling.

Operational Security Controls:

Data minimisation principles ensuring we only process data necessary for the specified purposes.
Regular security reviews and updates to maintain compliance with evolving NHS requirements.
Backup and recovery procedures tested regularly to ensure data availability and integrity.
Change management processes to ensure security controls are maintained during system updates.
Our security framework is regularly audited by independent third parties and is subject to ongoing monitoring to ensure continued compliance with NHS security standards and contractual obligations.

However, it is important that you protect against any unauthorised access to your password and computer and ensure you sign out/log off when you are leaving the site, particularly when using a shared computer.

8. USES MADE OF THE INFORMATION

8.1 We use your data in the following ways:

To ensure that the content of our site is presented effectively.
To provide you with the information you have either requested or registered an interest to receive.
To carry out our obligations as data processors which may arise from the contracts that we have entered into.
To allow you to participate in the interactive features when you choose to do so.
To notify you about changes to our service.

You are free to close your Patient Services account at any time and request that your data be deleted from our servers.

9. DATA RETENTION

Registration and Account Data: OneAdvanced retains your registration and account data (username, email address, date of birth) for a maximum of 2 years from your last login. This enables you to access the Patient Services portal. If you do not use the site for 2 years, your account will be deactivated and your registration data deleted. You can request deletion of your account at any time.

Clinical Data: Your medical records and clinical data are held by your GP practice in accordance with NHS Records Management Code of Practice (typically 10 years after last contact, or longer for certain records). OneAdvanced does not retain copies of your clinical data - we only provide access to data held by your GP practice.

We will respond to deletion requests within one month of receipt.

10. YOUR RIGHTS UNDER UK GDPR

You have the following rights regarding your personal data:

Right of access: You can request a copy of your personal data.
Right to rectification: You can ask for inaccurate information to be corrected.
Right to erasure: You can request deletion of your data in certain circumstances.
Right to restrict processing: You can ask for processing to be limited.
Right to data portability: You can request your data in a portable format.
Right to object: You can object to processing in certain circumstances To exercise these rights, please contact your healthcare provider in the first instance.

Important Note About Healthcare Records: Some rights may be limited where:

Retention is required for your ongoing clinical care and safety.
Legal or professional obligations require record preservation.
Processing is necessary for public health purposes Any restrictions will be explained to you by your healthcare provider and will be based on clinical governance requirements and patient safety considerations.

Decisions regarding rights restrictions are made by qualified healthcare professionals in accordance with NHS clinical governance frameworks and will be communicated with clear explanations of the reasoning applied.

You can find more information about your rights on the Information Commissioner's Office website: ico.org.uk. Should you wish to exercise any of your rights, please contact the relevant healthcare provider in the first instance, as they are the Data Controllers. These rights are not absolute, and most will need to be addressed by the Data Controllers.

11. RIGHTS ONEADVANCED ARE ABLE TO EXERCISE UPON REQUEST

11.1 Right to Rectification

If you identify any inaccurate data, then you may be able to rectify it yourself by logging into your account. However, should you require our assistance, then please contact us at dataprotection@oneadvanced.com.

Should you find there are inaccuracies in your healthcare record, please contact your GP Practice as we are not able to access your health records.

11.2 Right to Erasure/Account Deletion

The right of erasure is also known as the 'right to be forgotten'. You have the right to ask us to erase/delete your account and all your associated data.

12. RIGHT TO COMPLAIN

Should you be unhappy with the details in this Privacy Policy or have any other concerns please contact us in the first instance so we may work together to resolve the issue.

If you are unsatisfied with our response, you are free to make a complaint to the UK data regulatory body, the Information Commissioner's Office via their website: ico.org.uk/make-a-complaint.

These rights are not absolute but all requests we receive will be considered carefully and will be responded to within one calendar month.

13. THIRD PARTY SITES

Our site may, from time to time, contain links to and from the websites of third parties. If you follow a link to any of these websites, please note that they will contain their own privacy policies and we cannot accept any responsibility or liability for these. Please check these policies before you submit any personal data to these websites.

14. INTERNATIONAL TRANSFERS

We do not transfer your personal data outside the UK.

All data processing takes place within UK-based secure data centres.

15. CHANGES TO OUR PRIVACY POLICY

Any changes we make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by email.

We recommend that you check this page regularly to keep up-to-date with any changes.

This privacy policy was last updated on 29th January 2026.

16. CONTACT INFORMATION

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to:

Primary Contact: the practice where you registered for this service
Data Protection Officer: dataprotection@oneadvanced.com