Data Protection
Protecting sensitive medical information with care and discipline.
This page explains the practical standards we apply when handling personal data, especially health information, across the Second Opinion Medic service.
1. Our commitment
Second Opinion Medic Ltd understands that users of this service entrust us with highly sensitive personal information, including medical records and health-related data.
We are committed to handling personal data with care, confidentiality, integrity, and respect. Our aim is to process only the information that is reasonably necessary for the operation of our service, the delivery of specialist second opinions, and the protection of our legal and operational responsibilities.
2. Scope of this policy
This Data Protection Policy explains, in practical terms, how we approach the protection of personal data across our website and services. It should be read alongside our Privacy Policy and Terms of Service.
3. Nature of the data we protect
The information we may handle includes identity and contact details, account records, medical records and case documentation, specialist opinion reports, payment and billing information, service communications, and technical, access, and security data.
Because our service involves health information, some of the data we process is especially sensitive and requires a higher standard of care.
4. Core data protection principles
- lawful, fair, and transparent;
- collected for specified and legitimate purposes;
- adequate, relevant, and limited to what is necessary;
- accurate and kept up to date where appropriate;
- retained only for as long as reasonably necessary;
- protected by appropriate technical and organisational safeguards.
5. Access controls and confidentiality
Access to personal data is limited to those who reasonably need it for legitimate service, operational, security, or legal purposes.
- authorised internal personnel;
- specialist clinicians reviewing a submitted case;
- selected service providers supporting hosting, payments, storage, communications, and security.
Those handling personal data are expected to do so confidentially and only within the scope of their role.
6. Medical information handling
Uploaded medical records and related case materials are treated as highly confidential.
Such information is used only for purposes connected with assessing case suitability, arranging specialist review, preparing and delivering a second opinion, maintaining appropriate service and record-management standards, and meeting legal, regulatory, and dispute-handling obligations where necessary.
We do not use medical records for unrelated commercial purposes.
7. Security measures
We maintain measures designed to reduce the risk of unauthorised access, disclosure, loss, misuse, or alteration of personal data. These measures may include controlled access to systems and records, authentication and account protections, secure hosting and storage, logging and monitoring of system activity, payment processing through a specialist third-party provider, and administrative and technical safeguards proportionate to the nature of the data processed.
While we take data protection seriously, no system or transmission method can be guaranteed to be entirely risk free.
8. Hosting and international transfers
Our hosting infrastructure is located in Los Angeles, California. This means personal data may be transferred to or stored outside the United Kingdom.
Where international transfers take place, we seek to ensure that appropriate safeguards and protective measures are used so that personal data continues to receive a level of protection consistent with applicable law.
9. Retention and deletion
We do not aim to keep personal data indefinitely. We retain information according to category, purpose, sensitivity, and applicable legal, regulatory, operational, accounting, and security requirements.
| Data category | Typical retention period | Reason |
|---|---|---|
| Enquiry form submissions that do not become a case | 12 months | To respond, manage follow-up, and keep a short record of pre-engagement communications |
| Patient account information | While the account remains active and for 24 months afterwards | To manage access, security, and service records |
| Uploaded medical records and case documents | 7 years after case closure | To provide the service, handle follow-up, and maintain appropriate records |
| Specialist opinion reports | 7 years after case closure | To preserve the clinical output and related service record |
| Payment and invoice records | 6 years | Accounting, tax, and legal compliance |
| Customer support correspondence | 3 years | Service quality, complaints, and dispute handling |
| Marketing consent records | Until consent is withdrawn, with limited archival record where needed | To demonstrate consent preferences |
| Technical and security logs | 6 to 12 months | Security monitoring, fraud prevention, and system integrity |
At the end of the applicable retention period, data is deleted, anonymised, or otherwise handled in accordance with our internal practices and any overriding legal or regulatory requirement.
10. Third-party providers, rights, and incidents
We use selected third-party providers to support parts of our service, including payment processing and hosting. Where third parties process data on our behalf, we expect them to handle that data appropriately and only for legitimate service-related purposes.
Requests relating to access, correction, deletion, restriction, objection, or other privacy rights may be sent to support@secondopinionmedic.com. We may need to verify identity before acting on a request, and some rights may be limited by law or by overriding legal, regulatory, security, or record-keeping obligations.
If we become aware of a data protection incident, we will assess it and respond in a manner appropriate to the nature and seriousness of the issue, including taking containment, investigation, remediation, and notification steps where required by law.
Related policies