Patient Privacy Notice

Who are we?

IPRS Health is an independent provider of healthcare and wellbeing services. You have received this notice because IPRS Health has been contracted to provide clinical services to you, on behalf of one of the following:

  • Your employer;
  • Your employer's Occupational Health provider;
  • Your employer's insurer;
  • Your Private Medical Insurance provider;
  • Your Cash Health Plan provider;
  • Your insurer or a third party’s insurer, or;
  • Your solicitor or a third party’s solicitor.

To allow us to provide these services, we need to collect, process and store your personal and health-related information. This notice is to tell you why we need to do this, how the processing takes place and what we are allowed to do with your data – with and without your consent.

IPRS Health is registered in the UK with the Information Commissioner’s Office (ICO) as a Data Controller, and is permitted to process personal and special categories of information (health data, for instance) in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (DPA).

As part of its responsibilities IPRS Health has a Data Protection Officer, who is responsible for monitoring the compliance of IPRS Health’s data protection activities. If you have any questions or concerns about your data protection, please contact or contact 0800 072 1227.

Why do we collect information from you?

 To be able to manage your health or wellbeing referral to the best of our abilities, and to ensure that we provide the most appropriate care for your needs, we need to collect your personal data and certain health-related information. This information may take the form of electronic health records, held on our secure, UK-based servers, or may be paper files, stored securely in locked cabinets. Whichever format your information is held in, its security is paramount, and access to it is tightly controlled and is restricted to those staff who need access for the sole purpose of managing your referral. We will not release your data to anyone without your explicit consent to do so. We will not use your data for marketing purposes, or allow any of our processors (authorised third parties providing services on our behalf) to do so either.

What is our lawful basis for collecting your data?:

Any personal information we hold about you is processed under three lawful bases, under Article 6 of the GDPR:

1)      Consent – We ask for your explicit agreement as to how we manage and share your data. Our consent process is thorough, transparent and specific, and we will only process your data in line with the terms you agree.

 The process also informs you of your right to withdraw your consent, without prejudice, though this may sometimes affect our ability to manage your referral if we are unable to share information with your funding approver.

 Your details will never be shared with any person or organisation outside of the relationship between your referrer and IPRS Health (including its authorised suppliers) without your explicit written consent (for example, if you wish to release your health records as evidence for a legal claim) unless we are legally obliged to do so by a court order or to protect public health.

 The specific consent you give about the parties with whom you agree IPRS Health may share your data is documented in detail in your health record. You have the right to request access to this record.

2)      Legitimate interests – We process your data in order to be able to carry out our lawful business, which is the management and delivery of your health or wellbeing referral. As we have been appointed by an organisation to provide services to you, we need to communicate with that organisation about you; and with the suppliers who deliver services on our behalf. This requires us to share your information:

  1. for the purpose of managing your referral;
  2. for financial purposes in the payment and submission of invoices, and;
  3. for communicating statistical information about you and your care.

These are our legitimate interests (and those of the organisation that referred you or that provide care to you) and these interests will continue providing that they do not countermand your own interests, rights or freedoms as an individual.

3)      Legal Obligation – In certain circumstances we may have a legal obligation to process your data, specifically in the “establishment, exercise or defence of legal claims” or in the interest of public health. Under particular, but rare, conditions, this may be done without your consent.

In addition to your personal data, we also need to process your ‘special category’ data, which is information about your health status. Any information we collect or hold about your health, and your treatment and care, is processed for the purposes of ‘preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services’ under Article 9 of the GDPR and chapter 2, section 9 of the Data Protection Act 2018.

What information do we collect about you and how do we collect it?

We collect your personal and health-related information in a number of ways, including:

  • Referral details from your referring organisation;
  • Directly from you (or your authorised representative) by completion of forms (including online forms), during telephone calls, or during face to face encounters;
  • Information from our authorised suppliers, who will also only share the details of your treatment and care with IPRS Health, unless you agree otherwise.

The personal data we process may include your:

  • Full name and preferred name
  • Address
  • Telephone numbers
  • Date of birth
  • Gender
  • Email address
  • Occupation
  • Work or employment details
  • Insurance policy details

In addition to the above, we will also hold specific information about your health and wellbeing, which may include:

  • An electronic health record detailing the significant events and correspondence related to your referral to IPRS Health;
  • Health notes and reports, including details of treatment and care;
  • Information about your Physical and Mental Health conditions, as relevant to your referral;
  • Results of investigations or procedures;
  • Information from other healthcare professionals involved in your care;
  • Other health- or wellbeing-related data about your smoking status, alcohol consumption, any disabilities you may have, and your family, lifestyle and social circumstances.

These data will only be collected and processed where this is necessary and relevant to the management and delivery of services provided to you by IPRS Health.

We will never collect information which is not justified by our legitimate interests, and we will never use your health or wellbeing data for direct marketing.

What we do (and can we) do with your personal data? 

Your information is only used by IPRS Health to manage and deliver your health or wellbeing services, or to report to those parties you have agreed. This ensures that:

  • Staff involved in delivering your care have accurate and up-to-date information to provide the most appropriate evidence, advice or care;
  • Staff involved in managing your care are able to do so efficiently;
  • Your referring organisation has sufficient information to manage your Occupational Health needs, to help find you the most appropriate work duties or to effectively administer your insurance case or claim, depending upon the nature of your referral to IPRS Health.

The information we collect and hold about you may also be used to:

  • Tell you about any arrangements IPRS Health has made on your behalf;
  • Provide you with the contact details of our providers so that you can communicate with them directly;
  • Investigate complaints and report to the appropriate authorities when required to do so by law or with your consent;
  • Send you copies of reports, letters or any documentation you request in relation to your health or wellbeing services;
  • Contact you regarding patient satisfaction surveys, the results of which will be used to further improve IPRS Health’s services to future users.

We always use the least amount of personal data that we can to achieve our aims, and will try to anonymise or pseudonymise your information whenever possible, so as to give the greatest possible protection to your confidentiality.

Your data is never used for marketing or advertising purposes, and would not be released to any third party without your explicit consent, unless there is a legal requirement to do so, such as a court order.

How do we maintain your data records?

As previously mentioned, your data may be held in both electronic and paper forms. All data are held securely, and are retained for a specified period of time, as laid out in our data retention schedules. Different types of data would be held for different retention periods, as required by law, or by IPRS Health’s legitimate purposes.

Health records (containing the information pertaining to your health and wellbeing services) are retained by IPRS Health for a period of ten years from the date of your discharge from IPRS Health's care. If
you were a minor (under 18) at discharge, the record will be kept for ten years from you reaching your majority (ten years from your eighteenth birthday). This duration is required by our liability insurance provider, in anticipation of a need for health records being required for legal claims.

Once the retention period for your data expires, it will be destroyed or deleted in a secure manner. We will not keep your personal data for longer than is necessary to fulfil our legitimate purposes. Wherever possible, your personal data will be archived unless it is required for active referrals. If we wish to retain data for research or analytical purposes for longer periods, this will be retained as anonymous statistical data, and will no longer be ‘identifiable’ to you personally.

Your data are processed and stored in accordance with UK data protection legislation, currently the UK Data Protection Act 2018 and the General Data Protection Regulation. In addition to this statute law, health information is also protected by the Common Law Duty of Confidentiality, other assorted healthcare professional standards of conduct (such as those set by the Health and Care Professions Council), or national standards as set by the Information Commissioner’s Office.

These combined requirements mean that we must:

  • Maintain your data records fully and correctly;
  • Keep your data confidential and secure;
  • At your request, give you access to your data in a format which is accessible to you.

What are your individual rights concerning your data?

Under the GDPR and DPA you have certain rights as an individual, regarding your personal data held or processed by IPRS Health. You have the right to:

  • Be kept informed about any processing that takes place;
  • Know what information IPRS Health holds about you, and to have access to that information;
  • Request the correction of inaccurate or incomplete data held in your IPRS Health record;
  • Withdraw or decline your consent for the sharing of your information at any point during the delivery of your health and wellbeing services;
  • Under specific conditions, request that your personal data be transferred to other organisations;
  • Restrict or object to IPRS Health’s processing of your personal data, in certain circumstances.

Should you want to exercise your rights concerning your personal data, please contact IPRS Health’s Data Protection Officer at or by telephone on 0800 072 1227.

Who do you contact if you are unhappy with IPRS Health's management of your data?

If you have any concerns about what IPRS Health doing with your data, please contact the Data Protection Officer in the first instance.

IPRS Health is regulated in all matters of data protection by the Information Commissioner’s Office (ICO). If you are dissatisfied with our response to your concerns, or believe that IPRS Health is processing your data otherwise than in accordance with the law, you have to right to make a complaint to the ICO, as below.

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Fax: 01625 524 510

Contact Us

If you have any questions regarding our Privacy Policy please email us on or write to Suffolk House, Bramford Road, Little Blakenham, Suffolk IP8 4JU.