Privacy Policy (Privacy Notice)

1. Introduction

Leading Pathology is committed to transparency, accountability, and the protection of personal and confidential information. This Privacy Policy (also referred to as a Privacy Notice) explains how we collect, use, store, and share personal data relating to our patients, service users, and staff.

As a private healthcare provider specialising in histopathology and diagnostic services, we recognise the sensitive nature of the information we handle. We process personal data in accordance with the Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), and the Common Law Duty of Confidentiality, ensuring the highest standards of information governance.

Leading Pathology is regulated, accredited, and monitored by relevant statutory and professional bodies, including the Care Quality Commission (CQC) and the Information Commissioner’s Office (ICO).

2. Scope, Roles and Responsibilities

This Privacy Policy applies to all employees, consultants, contractors, and other individuals working on behalf of Leading Pathology.

The Medical Directors are responsible for overseeing the development, implementation, and enforcement of this policy.

All laboratory staff are required to comply with this policy and must report any actual or suspected data protection incidents or breaches immediately to the Medical Directors.

3. Legal Framework

Leading Pathology processes personal data in accordance with applicable UK legislation and guidance, including:

• Data Protection Act 2018
• UK General Data Protection Regulation (UK GDPR)
• Human Rights Act 1998
• Access to Health Records Act 1990
• Common Law Duty of Confidentiality
• Records Management Code of Practice

4. Key Terms

Personal Data
Any information relating to an identified or identifiable living individual (for example, name, NHS number, or date of birth).

Special Category Data
Personal data that is particularly sensitive and requires additional protection, including health, genetic, and biometric data.

Data Controller
The organisation that determines the purposes and means of processing personal data. For the purposes of this policy, Leading Pathology acts as the Data Controller.

Processing
Any operation carried out on personal data, including collection, recording, storage, use, disclosure, or destruction.

5. How We Process Your Information

5.1 Information We Collect

To provide diagnostic and pathology services, we may collect and process the following information:

• Personal identifiers: name, hospital number, address, and date of birth
• Clinical information: details of medical history, clinical notes provided by the referring clinician, and tissue samples (biopsies or specimens) for analysis
• Sensitive information: where clinically relevant, information relating to race or ethnic origin for genetic or diagnostic purposes

5.2 Lawful Basis for Processing

Under the UK GDPR, we process personal data on the following lawful bases:

• Article 6(1)(f) – Legitimate Interests: processing necessary for our legitimate interests in providing private pathology and diagnostic services
• Article 9(2)(h) – Health or Social Care: processing necessary for medical diagnosis, treatment, and the provision of healthcare
• Article 9(2)(j) – Research: where applicable, processing for scientific or historical research or archiving in the public interest, subject to appropriate safeguards

5.3 How We Use Your Information

We use your personal and clinical information to:

• Produce accurate, timely diagnostic reports to support appropriate medical decision-making
• Communicate effectively with your referring clinician, consultant, or healthcare provider
• Maintain complete and accurate records to support continuity of care, second opinions, or onward referral, including within the NHS where appropriate

5.4 Security and Confidentiality

We take the security of your information seriously and apply robust technical and organisational measures to protect it.

• Infrastructure and storage
  Our systems operate on modern, secure, cloud-based infrastructure. All data is encrypted both in transit and at rest. Information may be stored electronically and, where clinically necessary, in a combination of electronic and paper records.
• Access controls
  Access to records is strictly limited to authorised personnel who require access for legitimate clinical or operational purposes.
• Confidentiality obligations
  All staff and contractors are bound by the Common Law Duty of Confidentiality. Information provided in confidence will only be used for the purpose for which it was provided, unless consent is given or disclosure is required or permitted by law.

Under the Data Protection Act 2018, our staff have a legal and professional duty to protect personal information and ensure it is handled lawfully, fairly, and securely.

5.5 Data Sharing

We may share personal information with:

• The healthcare professionals responsible for your care, including GPs and consultants
• Other specialist laboratories where a second opinion or additional expert analysis is required (acting as data processors or sub-processors)

We do not sell personal data to third parties.

5.6 Data Retention

Health records, pathology slides, and tissue blocks are retained in line with guidance issued by The Royal College of Pathologists, The Retention and Storage of Pathological Records and Specimens (6th Edition, 2025).

5.7 Your Rights

Under UK data protection law, you have the right to:

• Access – request a copy of your personal data (Subject Access Request)
• Rectification – request correction of inaccurate or incomplete information
• Restriction – request restriction of processing in certain circumstances
• Objection / Opt-out – object to or opt out of processing for purposes beyond direct care, such as research, where applicable

Requests can be made by contacting Leading Pathology using the details provided on our website.

6. Compliance

This policy complies with the Equality Act 2010, the Human Rights Act 1998, the UK GDPR, and the Data Protection Act 2018.

Failure to comply with this policy may result in disciplinary action, including termination of employment or contractual arrangements, depending on the seriousness of the breach.

7. Policy Declaration

This Privacy Policy is effective from 1 December 2025 and will be reviewed every two years, or sooner if required by changes in legislation or operational practice.