1. Purpose

This GDPR Policy explains how OnPoint Medical Reporting Limited ensures compliance with the UK GDPR (General Data Protection Regulation) and how we protect the rights of individuals whose personal data we hold.

2. Scope

Applies to all personal data processed by OnPoint, whether via our website, medical-legal assessments, case management, or otherwise. Staff, contractors, suppliers must follow this policy.

3. Principles

All personal data processing is governed by the following GDPR principles:

1. Lawfulness, fairness, and transparency

2. Purpose limitation

3. Data minimisation

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality

7. Accountability

4. Data subject rights

As in the Privacy Policy, we ensure that individuals can exercise their rights under GDPR. We have procedures in place to respond to data subject access requests (DSARs), rectification, erasure, etc., within required timescales (one month, or two where complexity demands).

5. Data Protection Officer (DPO) / Responsible Person

We appoint/nominate a person responsible for data protection compliance. For all GDPR matters, that person can be contacted via info@opmr.co.uk.

6. Data impact assessments

Where new processing operations are likely to result in high risk to individual rights (e.g. new services, new technologies, large amount of sensitive data), we conduct Data Protection Impact Assessments (DPIAs) before starting.

7. Records of processing

We maintain internal records of all processing activities, including: what personal data is processed, for what purposes, who has access, transfers, retention periods, etc.

8. Training & awareness

We ensure staff, medical experts, contractors are trained, aware of data protection obligations and how to handle personal data securely.

9. Data security & breach readiness

We implement technical & organisational controls (access restriction, encryption, secure communications) to guard against unauthorized processing, loss or damage. We also have a data breach policy (below) to respond to incidents.

10. Third-party processors

We only use processors who demonstrate GDPR compliance. Contracts with third parties include data protection clauses ensuring adequate protection, confidentiality, audit rights where relevant.