Privacy Policy

NUPAS Privacy Policy

Our contact details


Address:  NUPAS Ltd 5 Arthur Road Edgbaston Birmingham B15 2UL

Phone Number: 0333 004 6666


The type of personal information we collect

We currently collect and process the following information:

NUPAS provide high quality healthcare. We effectively and safely store your information (your data) including your personal health, your treatment and record the below.

  • Your full name, date of birth and next of kin.
  • Your consent preferences
  • Feedback from you
  • Details of our contact with you.
  • Record of your care and treatment
  • Details of your tests, investigations, and scans.
  • Information from professionals involved with you and your care.

How we get the personal information and why we have it

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • Support clinical decision making about your care and treatment.
  • Ensure your care is effective, safe and of the highest quality.
  • Inform working with others to provide your care (where needed)
  • Ensure that we meet our legal and mandatory duties as a provider of healthcare services.
  • Process payment for services where applicable (private patients)

At NUPAS we are legally required to keep your information confidential.

We are required to;

  • Keep records about your care.
  • Keep your records secure and confidential.
  • Provide easy to use information that meets your needs.
  • Only keep information about you for as long as needed by law.

The law states that NUPAS notifies the Chief Medical Officer about every Abortion that takes place. The form used for this notification is called a HSA4 form and is used only for forming statistics.

This is needed for every abortion. A HSA4 form does not state your name but does include.

  • Your date of birth
  • Postcode
  • Ethnicity
  • Marital Status
  • Treatment details
  • How many weeks pregnant you are.
  • The legal grounds for the abortion.

We may also process the following information.

  • personal details including names, addresses, telephone numbers, email addresses, dates of birth,
  • Health details including your sexual and reproductive health records, including laboratory test results and scans, details about health conditions that may affect treatment, details about physical or mental health. This is so we can make sure our services are accessible to you.
  • Your GP details


We may also process special categories of personal data including:


  • physical or mental health details
  • racial or ethnic origin
  • religious or other beliefs


We also collect, use and share aggregated data such as statistical aggregated data which could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity

NUPAS will anonymise information about you prior to sharing where possible.

We will not share information that identifies you unless.

  • You ask us directly to do so
  • We ask you if we can and you agree
  • We are required to by law
  • We are required to as it is in the interests of the public
  • We have permission to under special reasons for health or audit purposes.

There may be occasion where others may need access to your information.

We will use anonymised information wherever possible.  Others may need access to your records to:

  • Complete quality checks on the care we provide.
  • Protect the health of the public
  • Look into a complaint or concern about your care.
  • Help learning within NUPAS

Lawful Basis for Processing Your Data

Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:

  • Your consent.
  • We have a contractual obligation.
  • We have a legal obligation.
  • We have a vital interest.
  • We have a legitimate interest.

Who the information may be shared with

We sometimes need to share the personal information we process with the data subject and also with other organisations for the purposes of performing the contract we are about to enter into or have entered into, where it is necessary for our legitimate interests (or those of a third party) and the data subject’s interests and fundamental rights do not override those interests or where we need to comply with a legal obligation.


Abortions in Great Britain must be carried out under the legal requirements set by the Abortion Act 1967. This Act requires abortion care services to send some information on the abortions they undertake to the Chief Medical Officer at the Department of Health and Social Care (DHSC).


The following information is sent:

  • patient reference number
  • date of birth
  • postcode
  • ethnicity
  • marital status
  • number of previous pregnancies
  • treatment details


We will not disclose medical records to your GP or contact them without your permission, other than when needed for emergency medical care or safeguarding concerns. We will however inform your GP of a positive STI result in the event that we cannot reach you after several attempts.

Your data protection rights

International Transfers

We do not transfer any personal data outside of the European Economic Area.

Rights of individuals

Individuals have rights to their data which we must respect and comply with to the best of our ability. We must ensure individuals can exercise their rights in the following ways:

Individuals have rights to their data which we must respect and comply with to the best of our ability. We must ensure individuals can exercise their rights in the following ways:

  • Providing privacy notices which are concise, transparent, intelligible and easily accessible, free of charge, that are written in clear and plain language, particularly if aimed at children.
  • Keeping a record of how we use personal data to demonstrate compliance with the need for accountability and transparency.

Right to access

  • Enabling individuals to access their personal data and supplementary information
  • Allowing individuals to be aware of and verify the lawfulness of the processing activities

Right to rectification

  • We must rectify or amend the personal data of the individual if requested because it is inaccurate or incomplete.

Right to erasure

  • We must delete or remove an individual’s data if requested and there is no compelling reason for its continued processing.

Right to restrict processing

  • We must comply with any request to restrict, block, or otherwise suppress the processing of personal data.
  • We are permitted to store personal data if it has been restricted, but not process it further. We must retain enough data to ensure the right to restriction is respected in the future.

Right to data portability

  • We must provide individuals with their data so that they can reuse it for their own purposes or across different services.
  • We must provide it in a commonly used, machine-readable format, and send it directly to another controller if requested.

Right to object

  • We must respect the right of an individual to object to data processing based on legitimate interest or the performance of a public interest task.
  • We must respect the right of an individual to object to direct marketing, including profiling.
  • We must respect the right of an individual to object to processing their data for scientific and historical research and statistics.

Rights in relation to automated decision making and profiling

  • We must respect the rights of individuals in relation to automated decision making and profiling.
  • Individuals retain their right to object to such automated processing, have the rationale explained to them, and request human intervention.

Data Retention

  • We will only retain personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation.
  • To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Data Security

We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to personal data to those employees, agents, contractors and other third parties who need to be able to access the personal data to work effectively. They will only process personal data on our instructions and are subject to a duty of confidentiality.


We have put in place procedures to deal with any suspected personal data breach and will notify any applicable regulator of a breach where we are legally required to do so.

Subject Access Requests

An individual has the right to receive confirmation that their data is being processed, access to their personal data and supplementary information.


We must provide an individual with a copy of the information they request, free of charge. This must occur without delay, ideally within one month of receipt. We endeavour to provide data subjects access to their information in commonly used electronic formats, and where possible, provide direct access to the information through a remote accessed secure system.


If complying with the request is complex or numerous, the deadline can be extended by two months, but the individual must be informed within one month.


We can refuse to respond to certain requests, and can, in circumstances of the request being manifestly unfounded or excessive, charge a fee. If the request is for a large quantity of data, we can request the individual specify the information they are requesting.


If you would like to make a Subject Access Request please complete the form below or contact us at

Our Website

Third-party links

Our website may include links to third-party website, plug ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data. We do not control these third party websites and are not responsible for their privacy statements.

Website cookies

Our website makes use of cookies, which are small digital files that are stored in your web browser. They enable us to track your return visits to our website and make using our website more enjoyable for you. Please see our Cookie Policy for more information here. 

Right to lodge a complaint

You have the right to complain to the Information Commissioners Office

You can also complain to the ICO if you are unhappy with how we have used your data.


The ICO’s address:   

Information Commissioner’s Office

Wycliffe House

Water Lane





Helpline number: 0303 123 1113

ICO website:

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at

Or visit our Feedback and Complaints page here

Get in touch with NUPAS

Give us a call:

United Kingdom:  0333 004 6666

Republic of Ireland:  (01) 874 0097

Overseas: 0845 359 6666