Contact Us

• Our Company

Privacy Policy

1. Introduction

OnPoint Medical Reporting Limited respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you interact with us, including in the provision of medico-legal reporting services.

This Privacy Policy operates alongside the Information/Data Security Policy and forms part of the organisation’s wider information governance framework, in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and MedCo Qualifying Criteria QC 1.6 (Information Security) (UK GDPR Articles 5 and 32; MedCo QC 1.6).

2. Who we are

OnPoint Medical Reporting Limited is a UK-based Medical Reporting Organisation (MRO) providing medico-legal reporting and administrative support services.

Registered office:
Spaces, Peter House, Office 4.03
Oxford Street, Manchester, M1 5AN

ICO registration number: ZB877553 (ICO registration requirement)

For the purposes of data protection law, OnPoint Medical Reporting Limited is the Data Controller in respect of personal data processed in connection with its services (UK GDPR Article 4(7)).

3. What personal data we collect

Medical and clinical information constitutes “special category data” under UK GDPR Article 9 and is subject to enhanced safeguards due to its sensitive nature (UK GDPR Article 9; ICO guidance on special category data).

4. How we collect personal data

We collect personal data:

• Directly from you (e.g. when you attend an assessment or contact us);
• From third parties (e.g. solicitors, insurers, medical experts, or MedCo-approved instruction sources);

Where personal data is obtained from third parties, this is done on a lawful basis and strictly for legitimate medico-legal purposes (UK GDPR Article 6; MedCo operational requirements).

5. Purposes for processing your personal data

We process personal data to:

• Deliver medico-legal reporting services, including arranging examinations and producing reports;
• Manage cases and liaise with medical experts, instructing parties, insurers, and legal representatives;
• Comply with legal, regulatory, professional, and MedCo obligations;
• Manage business operations such as billing, audit evidence, complaints handling, and quality assurance;
• Maintain information security and prevent unauthorised access or misuse.

Processing is limited to what is necessary and proportionate (UK GDPR Article 5(1)(c); ICO data minimisation guidance).

6. Legal bases for processing

We rely on one or more of the following lawful bases:

• Performance of a contract (UK GDPR Article 6(1)(b));
• Legal obligation (UK GDPR Article 6(1)(c));
• Legitimate interests, balanced against individual rights (UK GDPR Article 6(1)(f));
• Consent, where required;
• Vital interests, in rare circumstances.

Where special category data is processed, additional conditions apply, including processing necessary for the establishment, exercise, or defence of legal claims (UK GDPR Article 9(2)(f)).

7. Sharing your personal data

We may share personal data with:

• Medical experts instructed to conduct assessments and produce reports;
• Solicitors, insurers, and authorised instructing parties;
• Third-party service providers supporting secure IT, telephony, and accounting systems;
• Regulatory or statutory bodies, including MedCo, where required.

We do not sell personal data.

All third-party providers are subject to due diligence, confidentiality obligations, and GDPR-compliant security controls, consistent with our Information/Data Security Policy and MedCo QC 1.6.

8. Data retention

Personal and special category data is retained only for as long as necessary to fulfil medico-legal, contractual, regulatory, and audit purposes (UK GDPR Article 5(1)(e); ICO storage limitation guidance).

As a Medical Reporting Organisation, OnPoint Medical Reporting Limited applies the following retention periods:

• Medico-legal case files and medical reports: retained for 7 years from case closure, to cover personal injury limitation periods, potential disputes, and MedCo audit requirements (Limitation Act 1980; ICO guidance on legal claims)
• Complaints records: retained for 6 years from closure, to evidence regulatory handling and audit compliance (regulatory best practice; MedCo expectations)
• Financial and accounting records: retained for 6 years in line with HMRC requirements
• Audit, compliance, and governance records: retained for 6 to 7 years to evidence ongoing regulatory compliance (MedCo audit requirements)

At the end of the applicable retention period, data is securely deleted, destroyed, or anonymised in accordance with the Information/Data Security Policy (UK GDPR Article 32; ICO security guidance).

9. Your rights

Under the UK GDPR, you have the following rights in relation to your personal data:

·       Right of access – to request confirmation of whether we process your personal data and to receive a copy of that data.

·       Right to rectification – to request correction of inaccurate or incomplete personal data.

·       Right to erasure – to request deletion of personal data where there is no lawful basis for continued processing. This right may be limited where retention is required for medico-legal, regulatory, or legal claim purposes.

·       Right to restrict processing – to request that processing is limited in certain circumstances, for example while the accuracy of data is being verified.

·       Right to object to processing – where processing is based on legitimate interests and you believe those interests are overridden by your rights.

·       Right to data portability – to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, where applicable.

·       Right to withdraw consent – where processing is based on consent, without affecting the lawfulness of processing prior to withdrawal.

·       Right to lodge a complaint – with the Information Commissioner’s Office (ICO) if you believe your data protection rights have been infringed.

How to exercise your rights

Requests to exercise your data protection rights must be submitted in writing using the contact details provided in this Privacy Policy.

Upon receipt of a request, OnPoint Medical Reporting Limited will:

• Log the request in a Data Subject Rights Register, recording the date received, nature of the request, and the individual making the request (UK GDPR accountability principle; MedCo QC 1.6);
• Acknowledge receipt of the request without undue delay and confirm the applicable response timeframe;
• Verify the identity of the requester using proportionate and secure methods to prevent unauthorised disclosure of personal or special category data (UK GDPR Article 12; Information/Data Security Policy);
• Assess the scope of the request, including identifying the data held, the systems involved, and whether any legal, medico-legal, regulatory, or MedCo obligations require continued retention or restrict disclosure;
• Consult relevant internal records and third parties, where necessary and lawful, to ensure the response is accurate and complete;
• Apply appropriate redactions to protect third-party data or information subject to legal privilege;
• Respond within one month of receipt, or within up to three months where the request is complex or multiple requests have been made, in accordance with UK GDPR Article 12;
• Document the outcome of the request, including the response provided and any actions taken, to evidence compliance.

Where a request is refused or restricted, the individual will be provided with a clear explanation of the reasons and informed of their right to lodge a complaint with the Information Commissioner’s Office (ICO).

Oversight and final approval of responses to data subject rights requests rests with the Director / Responsible Officer, ensuring consistent, lawful, and secure handling in line with MedCo QC 1.6 and the organisation’s Information/Data Security Policy.

10. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption, access controls, staff training, monitoring, and incident management (UK GDPR Article 32; ICO security guidance).

Information security risks are assessed on an ongoing basis, including risks arising from internal processing activities and third-party systems, in line with the Information/Data Security Policy and MedCo QC 1.6.

11. Cookies & tracking

Our website may use cookies to improve functionality and user experience. Cookie preferences can be managed via browser settings or any cookie banner provided (Privacy and Electronic Communications Regulations).

12. Changes to this policy

This Privacy Policy is reviewed periodically and updated where required.
Material changes will be communicated where appropriate (ICO transparency guidance).

13. Contact

For questions or requests regarding this Privacy Policy or our use of personal data, contact:

OnPoint Medical Reporting Limited
Spaces, Peter House, Office 4.03
Oxford Street, Manchester, M1 5AN
Email: info@opmr.co.uk           

You also have the right to raise concerns with the Information Commissioner’s Office (ICO) (UK GDPR Article 77).

Explore More

• Privacy
• Gdpr
• Data breach

Contact Us

• 0333 050 7377
• info@opmr.co.uk
• Spaces, Peter House, Office 403, Oxford Street, Manchester, M1 5AN

Facebook Instagram X-twitter

Company Overview

ONPOINT MEDICAL REPORTING LIMITED is a UK-based provider of medico-legal
reporting and support services. We offer fast, reliable access to a nationwide panel of medical
professionals to support personal injury claims, complex legal proceedings, and rehabilitation
needs.
Our goal is to alleviate the administrative burden from law firms and insurers by offering
comprehensive, accurate medical assessments and case management—handled with care,
speed, and integrity.

More About Us