1. Introduction

Triam Health Limited (“Triam Health”, “we”, “our”, or “us”) is committed to protecting and respecting your privacy and handling personal information securely, lawfully, fairly, and transparently.

This Privacy Notice & Data Protection Policy explains how Triam Health collects, uses, stores, shares, protects, and processes personal information in accordance with UK GDPR, the Data Protection Act 2018, applicable healthcare confidentiality obligations, MedCo requirements where applicable, and relevant medico-legal and professional obligations.

2. UK GDPR Principles

Triam Health processes personal information in accordance with the UK GDPR principles of:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

3. Types of Information Processed

Depending on the services provided, Triam Health may process:

• Personal identification information
• Contact information
• Medical and healthcare information
• Consultation records
• Medico-legal reports
• Appointment details
• Billing and invoicing information
• Communication records
• Website or portal interaction data

4. Lawful Basis for Processing

Triam Health processes personal information under one or more lawful bases including:

• Provision of healthcare services
• Medical diagnosis and treatment
• Compliance with legal obligations
• Establishment, exercise, or defence of legal claims
• Contractual obligations
• Legitimate interests
• Safeguarding obligations
• Consent where applicable

5. Private GP & Healthcare Services

For private GP and healthcare services, Triam Health acts as the Data Controller for patient information processed in relation to clinical care.

Information processed may include medical history, consultation records, medication history, investigation results, referral correspondence, treatment records, and appointment administration.

6. Aesthetic & Cosmetic Services

For aesthetic and cosmetic services, Triam Health processes personal and medical information necessary for consultation, treatment planning, consent processes, safety monitoring, follow-up care, and clinical documentation.

Clinical photographs may be taken for healthcare documentation and patient safety purposes and are not used for marketing without separate explicit written consent.

7. Medico-Legal Services & Expert Reporting

Triam Health provides independent medico-legal examinations and expert reporting services.

Independent medical experts generally act as independent Data Controllers in relation to their medico-legal opinions and reports.

For Direct Medical Expert (DME) instructions, information and reports are shared only with the instructing solicitor, insurer, rehabilitation provider, court, or authorised instructing party directly involved in the claim.

For indirect expert or agency instructions, information is shared only with the instructing agency, Medical Reporting Organisation (MRO), solicitor, insurer, court, or authorised instructing party involved in the legal process.

8. Data Storage, Hosting & Security

Triam Health takes appropriate technical and organisational measures to protect personal information against unauthorised access, accidental loss, destruction, misuse, alteration, or unlawful disclosure.

Personal information may be securely stored using encrypted systems, secure cloud-based infrastructure, secure case management systems, encrypted backups, and password-protected platforms.

Security measures may include:

• Role-based access controls
• Restricted authorised access
• Multi-factor authentication
• Audit logging
• Encryption
• Secure communications
• Secure password policies
• Antivirus and cybersecurity protections
• Secure data backup systems

9. Technology Providers & Digital Services

Triam Health may utilise Trikon Digital Ltd as a technology and software services provider for secure case management, appointment administration, claimant communications, cloud hosting, secure messaging, document management, online forms, and digital healthcare services.

Trikon Digital Ltd acts as a Data Processor on behalf of Triam Health and processes information only under contractual instructions and in accordance with UK GDPR.

10. Information Sharing

Triam Health shares personal information only where lawful, necessary, and proportionate.

Information may be shared with healthcare professionals, hospitals, laboratories, pharmacies, insurers, solicitors, courts, rehabilitation providers, Medical Reporting Organisations (MROs), IT providers, regulatory authorities, and other authorised third parties involved in the provision of services.

Triam Health does not sell personal information to third parties.

11. Data Retention

Triam Health retains personal information only for as long as necessary for healthcare provision, medico-legal reporting, legal and regulatory obligations, contractual requirements, audit and governance purposes, and the establishment, exercise, or defence of legal claims.

Retention periods are determined with reference to UK GDPR, the Data Protection Act 2018, NHS Records Management Code of Practice 2021, ICO guidance, professional regulatory obligations, medico-legal requirements, and applicable limitation periods.

Typical retention periods may include:

• Adult healthcare records – Minimum 8 years after last treatment, contact, or entry
• Children’s healthcare records – Until the patient’s 25th birthday, or 26th birthday if aged 17 at conclusion of treatment
• GP records – Generally retained for 10 years after death
• Mental health records – 20 years after last contact or 10 years after death
• Maternity records – 25 years after birth of the last child
• Medico-legal reports and related records – Minimum 7 years from conclusion of the claim or longer where required
• Complaint records – Normally minimum 6 years after closure
• Financial and accounting records – Minimum 6 years in accordance with HMRC requirements
• Subject Access Request records – Normally minimum 3 years after completion
• Appointment records, emails, and communications – Retained in accordance with operational, legal, and audit requirements.

Where records reach the end of their retention period, Triam Health will ensure information is securely deleted, confidentially destroyed, anonymised, archived appropriately, or placed beyond operational use where legally required

12. Your Rights

Under UK GDPR, individuals may have rights including:

• The right to access personal information
• The right to request correction of inaccurate information
• The right to request erasure where applicable
• The right to restrict processing
• The right to object to processing
• The right to data portability where applicable
• The right to withdraw consent where consent is relied upon

13. Data Breaches & Information Security Incidents

Triam Health maintains procedures for identifying, managing, documenting, and reporting personal data breaches.

Any suspected data breach or confidentiality concern should be reported immediately to:

14. ICO Registrations

15. Complaints & Contact Information

16. Policy Review