top of page


Professor Whitehouse provides private medical services and medicolegal expert witness services.


ICO Registration Number is ZB295358


Professor Michael Whitehouse is the data controller.


How we collect personal information

We collect personal information from you and about you from third parties (this may be anyone acting on your behalf, e.g. medical insurance providers, healthcare providers, solicitors, the NHS etc.).

We also collect personal information from you through information you provide when you contact us, including by telephone (telephone calls may recorded or monitored to ensure we abide by legal rules, codes of practice and internal policies, and for quality assurance purposes), by email, through our website, by post, by filling in application or other types of form, or face-to-face (e.g. during in consultations, or the course of establishing a diagnosis and treatment plan).


We also collect information from other people and organisations

We may collect information from:

  • a family member, or someone else acting on your behalf;

  • your parent or legal guardian, if you are under 18 years old; doctors, other clinicians and health-care professionals, hospitals, clinics and other health-care providers;

  • a person instructing us in relation to medicolegal issues (for example where we provide medicolegal expert witness reports), this is usually a solicitor but may include other people representing Hospitals, NHS Trusts or NHS Resolution;

  • any service providers who work with us in relation to products or services you receive from us; and

  • fraud-detection and credit-reference agencies


Categories of personal information we process

We process different categories of personal information about you and (where applicable) your dependants:

  • standard personal information (e.g. information we use to contact you or identify you); and

  • special categories of information (e.g. medical information about your current condition and past medical history, information about your race, ethnic origin and religion that allows us to tailor your care).


Standard personal information

Standard personal information includes:

  • Contact information (e.g. name, address, email address, telephone number);

  • your country of residence, age, date of birth and identification numbers (e.g. in order to ensure we can report correct information to national mandatory health registries);

  • information about your employment and the type of work you do;

  • details of previous contact and communication with you;

  • details of your health insurer or provider where relevant;

  • financial details (e.g. details about current and past payments made to us, your bank, bank card or credit card details);

  • the results of any credit or anti-fraud checks that need to be carried out;

  • information about how you use our wesbsite.


Special category information

Special category information includes:

  • Information about your physical or mental health, this may include genetic or biometric information (this information may be collected from forms you have filled in, existing medical records or reports about your health, previous treatment you have received and any treatment you may need. It may also be recorded from telephone calls, emails, faxes, information you may send to or consent to being sent to other parties about the care and treatment you receive from us, referrals from other healthcare professionals, health insurers or other healthcare providers);

  • information about your race, ethnic origin and religion; and

  • information about any prior criminal convictions or recorded offences.


What we use your personal information for

We need to process your personal information so that we can provided our services to you. Our services may be in medical, surgical services or expert witness services in cases where we are asked to prepare resorts regarding the care you have received.


We can only process your personal information if we have a lawful reason to do so. The legal reasons we may need to do this are:

  • If it is necessary to provide the services set out in a contract. If we have a contract with you, we will process personal information so that we can fulfil that contract to provide products or services;

  • in our or a third party’s legitimate interests; and

  • required of us by or allowed by law; 


We may need to process special category information about you because:

  • it is needed for us to provide preventative or occupational healthcare advice, to assess if you are able to work, in order to make a diagnosis of your condition, to provide medical or surgical healthcare or treatment, or to comply with our statutory obligations and clinical governance requirements to monitor and ensure that we are meeting expectations regarding our clinical and non-clinical performance;

  • it is necessary for the preparation and/or delivery of an expert witness report on liability, causation, condition or prognosis;

  • it is necessary for health insurance purposes (e.g. for us to advise on, arrange , provide or manage your health and or an insurance contract, dealt with a claim made under an insurance contract, or relating to rights and responsibilities arising in connection with an insurance contract or our legal duties);

  • it is necessary for a purpose designed to protect the public against dishonesty, malpractice or other seriously improper behaviour (e.g. investigations in response to a safeguarding concern, a member’s complaint or a regulator (such as the Care Quality Commission or the General Medical Council) telling us about an issue);

  • it is in the public interest, in line with any laws that apply;

  • it is information that you have made public; or

  • we have your permission to do so.


As is best practice, we will only ask you for permission to process your personal information if there is no other legal reason to process it. If we need to ask for your permission, we will make it clear that this is what we are asking for and ask you to confirm your choice to give us that permission. If we cannot provide a service without your permission (for example, we can’t manage and run a health service without health information), we will make this clear when we ask for your permission. If you later withdraw your permission, we will no longer be able to provide you with a service that relies on having your permission.


Where we store your personal data

The information that we collect from you will not be transferred to, processed or stored outside the UK.

We will ensure that suppliers of our information technology and other services have the appropriate technical, administrative and physical procedures in place to ensure that your data is protected against loss or misuse. All personal information you provide to us will be stored on our encrypted, secure servers or those operated by a GDPR-compliant third party.


Who do we share your personal data with?

We only share personal data on a strict need to know basis and share only data that is specifically required for the purpose.

We may need to disclose your information to the third party’s listed below for the purposes described in this privacy notice:

  • A doctor, nurse, physiotherapist, occupational therapist or any other healthcare professional currently involved in or that needs to be involved in your healthcare or treatment;

  • members of support or administrative staff involved in the delivery of your healthcare;

  • anyone that you ask us to communicate with about your care;

  • NHS organisations including NHS Hospital Trusts, Clinical Commissioning Groups, NHS Resolution, NHS England, NHS Wales, the Department of Health and Social Care;

  • medical insurers;

  • other private sector healthcare providers;

  • your General Practitioner;

  • those instructing us to provide an expert witness report;

  • Private Healthcare Information Network;

  • healthcare and other regulators;

  • the police and other third parties where reasonably necessary for the prevention or detection of crime;

  • debt collection agencies;

  • credit reference agencies;

  • third part service providers (e.g. IT suppliers, actuaries, accountants, auditors, lawyers, document management providers, HMRC and/or VAT Commissioner as required by those parties;

  • with other parties pursuant to a court order.


How long do we keep your personal data for?

GDPR regulations require that your personal data should not be held for longer than is necessary for the purpose for which it is being processed. In the case of the type of records that we hold for you, it is necessary that we keep your records for the minimum period of time required of us by law and for operational and safety reasons. The period of time we need to keep your medical records for varies according to the type of record.

In most cases, where clinical medical services have been provided (consultation, treatment or other assessment), records will be retained for 20 years after the last contact. This period has been determined with patient safety in mind and is consistent with practice in healthcare. There are certain types of medical record where we may need to keep the record for longer, this includes operation notes which list the sizes and types of implant you receive. Having this information means that if you do need a redo operation in the future, we have the necessary information to order implants which can mean a smaller redo operation, reducing risks and aiding your recovery.


Personal data in medicolegal cases is retained whilst the case is ongoing. Copies of the medical records we are provided with to produce your report will be destroyed 3 months following the conclusion of your case but some elements of your personal data, such as that contained in the report we produce itself, where necessary, will be kept for up to 10 years following the conclusion of the case.


How we communicate with you?

We will most often communicate with you by telephone (this may include Voice Over Internet Protocol), SMS text message, email, fax or post. If we contact you using the telephone number(s) which you have provided (landline and/or mobile), and you are not available which results in the call being directed to a voicemail and/or answering service, we may leave a voice message on your voicemail and/or answering service as appropriate. If you have a generic voicemail message that does not identify you, we will not be able to leave a message that may reveal any sensitive information.

Please note that although providing your mobile number and email address and stating a preference to be communicated by a particular method will be taken as an affirmative confirmation that you are happy for us to contact you in that manner, we are not relying on your consent to process your personal data in order to correspond with you about your treatment. As set out further below, processing your personal data for those purposes is justified on the basis that it is necessary to provide you with healthcare services.

If you choose to send us information via email, we cannot guarantee the security of this information until it is delivered to us. If you need to send us sensitive or personal information, we can provide details of a free to use GDPR-compliant secure email system that can be used for this. Please let us know if you wish to use this service.


Your rights

You have the right to access your information and to ask us to correct any mistakes and delete and restrict the use of your information. You also have the right to object to us using your information, to ask us to transfer information you have provided and to withdraw permission you have given us to use your information. For more information, see below.

You have the following rights (certain exceptions apply):

  • Right of access: the right to make a written request for details of your personal information and a copy of that personal information. We will provide this free of charge although where such requests are frequent or excessive then we may charge an administration fee.

  • Right to rectification: the right to have inaccurate information about you corrected or removed.

  • Right to erasure (‘right to be forgotten’): the right to have certain personal information about you erased.

  • Right to restriction of processing: the right to request that your personal information is only used for restricted purposes.

  • Right to object: the right to object to processing of your personal information in cases where our processing is based on the performance of a task carried out in the public interest or we have let you know the processing is necessary for our or a third party’s legitimate interests.

  • Right to data portability: the right to ask for the personal information you have made available to us to be transferred to you or a third party in machine-readable formats.

  • Right to withdraw consent: the right to withdraw any consent you have previously given us to handle your personal information. If you withdraw your consent, this will not affect the lawfulness of our use of your personal information prior to the withdrawal of your consent and we will let you know if we will no longer be able to provide you your chosen product or service.

  • Right in relation to automated decisions: you have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you, unless it is necessary for entering into a contract with you, it is authorised by law or you have given your explicit consent. We will let you know when such decisions are made, the lawful grounds we rely on and the rights you have.


Please note: other than your right to object to the use of your data for direct marketing (and profiling to the extent used for the purposes of direct marketing), your rights are not absolute. They do not always apply in all cases and we will let you know in our correspondence with you how we will or will not be able to comply with your request.

If you make a request, we will ask you to confirm your identity if we need to, and to provide information that helps us to understand your request better. If we do not meet your request, we will explain why.


How to contact us

If you have any queries regarding this privacy statement, these can be sent to

If you have any concerns about the way your personal information has been processed, please contact us by email at Alternatively, you may contact the Information Commissioner’ s Office on 0303 123 1113.



A cookie is a small computer file or piece of information that may be stored in your computer’s hard drive when you visit our websites. We may use cookies to improve our website’s functionality and in some cases, to provide visitors with a customized online experience.


Cookies are widely used and most web browsers are configured initially to accept cookies automatically. You may change your Internet browser settings to prevent your computer from accepting cookies or to notify you when you receive a cookie so that you may decline its acceptance.

Please note, however, if you disable cookies, you may not experience optimal performance of our website.


Other websites

Our website may contain links to third party websites that are beyond our control and therefore not governed by this privacy policy. Although we endeavour to only link to sites with high privacy standards, our privacy policy will no longer apply once you follow and link and leave our website. Additionally, we are not responsible for the privacy practices employed by third party websites. Therefore, we suggest that you examine the privacy statements of those sites to learn how your information may be collected, used, shared and disclosed before deciding whether you wish to proceed.

bottom of page