Privacy Policy for London Medical Laboratory

This Privacy Policy describes how your personal information and data is collected, used, stored, and shared if you attend one of our branches, testing locations or partners’ testing locations, or if you visit or make a purchase from one of our online sites or partner websites (the “websites”):;;; or

"We" are London Medical Laboratory Limited a company registered in England and Wales with company number 10463817 and its registered office situated at 2 Pensbury Street, London SW8 4TJ. "You" are the customer who has accessed one of our websites, attended one of our branches, testing locations or partners’ testing locations, or intends to place or has placed an order for our products, services and or applications (“Services”).

We respect and are committed to protecting your personal data. Our  Privacy Policy, along with our  Terms and Conditions ,  details the way in which we use your personal data, how we collect and look after it, how the data is stored, and your rights concerning the data. The information in this policy covers the websites listed above, in addition to the IT systems that will process your data (including internal and external laboratory systems and referral laboratories) which deal with data.

All genetic, Covid-19 and blood test results and any associated Personal Data are maintained under a strict policy of confidentiality. This Privacy Policy is applicable to all new and existing Users of our Services as stated in our  Terms and Conditions .


London Medical Laboratory Limited has appointed a Data Protection Officer (“DPO”). If you would like to contact the DPO or the Data Protection Team, please contact the DPO via email using the address: Once we have received your request we will respond as soon as possible, and certainly within the regulatory time limit (one month).


Personal information or data (“Personal Data”) is defined as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’ by the United Kingdom’s  General Data Protection Regulation or “GDPR” (the original EU regulation can be found here  EU Regulation 2016/679 ). We must meet many data protection and privacy law requirements.

In simple terms, personal data is information that can be used to identify you. Personal information can be details such as name or gender, but it also applies to more abstract data, such as IP address and location data.


For example, we will collect your  Personal Data from:  

  • When you reach out to us, either online or via email, mobile, phone or post, or in person and you provide us with your details for a test (e.g. Blood or covid-19 test);
  • Your devices, for example when you visit or use our websites;
  • Cookies we use on our websites to keep them safe or offer you personalised experiences (please see our  Cookie Policy ); 
  • One of our branches, testing locations or partner’s testing locations; and/or
  • Analysis of your genetic or biomarker information from your saliva or blood test.

Different types of tests will need slightly different details or “Order Information”. This is test information related to your order and may be collected on paper forms (such as test request forms), or digitally on a laptop, tablet or mobile telephone. This is usually collected during the ordering process or when you register your details for a particular test, such as filling an online form.

When you visit one of our websites, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Website, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Website, and information about how you interact with the Website. We refer to this automatically collected information as “Device Information”.

We collect Device Information using the following technologies:

  • “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about the cookies we use and collect please see our  Cookie Policy
  • “Log files” track actions occurring on the website, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
  • “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the websites.

When we talk about Personal Data or information in this Privacy Policy, we are talking both about Device Information and Order Information. Some examples of your Personal Data we may collect is detailed in the table below.

Purpose  Type of Personal Data 
Data and information collected to register and take the test(s) -Title, Name, date of birth, sex, email address, mobile number, home address, passport number, nationality
Your customer username or number, password (if applicable), laboratory number, sample number
Payment method used and payment amount

Any Personal Data you provide us when you contact us. This may include but is not limited to:

  • Medical data or information that directly relates to the blood, Covid-19, genetic or other biological sample tests
  • Test method (e.g. PCR, blood film or immunochemistry)
  • Test result (e.g. positive or negative)
  • Genetic data (genetic swabs)
  • Health questionnaires 
  • Pre-existing medical conditions, medications, symptoms and clinical information (if provided)
  • Date and time of sample taken 
  • Sample type
  • Result date and time
  • Location
  • Name of referral doctor, GP practice or laboratory
We also record your telephone calls with us. Please be aware that we collect and store all copies of emails sent. 
Device Information, which may include: Traffic information, IP address, time of access, date of access, location, web pages visited, device identifiers (as described above).
Website use data. Please see our  Cookie policy .
Specific government mandated testing data required from Passengers arriving to the UK (International arrivals
  • Sex
  • Date of birth 
  • NHS number (if known and applicable)
  • Ethnicity 
  • Date of arrival to UK
  • Coach number
  • Flight number 
  • Vessel name (as appropriate)
  • Date on which you last departed from or transited through a non-exempt country or territory, or a non-exempt region of a country or territory (not on the travel corridors list).
  • The country or territory you travelled from when you arrived in the UK, and any country or territory you transited through as part of that journey.
Information, Marketing and Advertising Purposes Your marketing preferences and responses to our direct marketing, for example when and if you have open, read and deleted our marketing emails, or if you have clicked on any links in information or marketing emails. 

If you are taking any medications, or have any pre-existing medical conditions or problems, or concerns such as vulnerabilities, you can discuss this during a visit with one of our healthcare assistants (HCA) at our testing locations. The HCA will only use the information you share to provide direct care and will always remain confidential. If the HCA needs your medical consent to care for you, they will get this from you at the time. The HCA may note this on your file and notify the laboratory. A referring doctor, GP or laboratory may also pass this information onto us if necessary and this may be stored on your file.

If you have provided Personal Data on someone else’s behalf, such as a relative or child then this Privacy Policy is relevant to them, and they should be made aware of it.


We will use your Personal Data in the following circumstances: 

  • To allow us to carry out the test(s) and perform a contract we have with you or are about to enter into with you (please see our  Terms and Conditions );
  • For our “Legitimate Interest”, but only when your rights and freedoms do not override our legitimate interest. Our legitimate interest is to help us improve our services and products and to obtain feedback from you;
  • To comply with legal and regulatory obligations; and/or
  • Where we have your consent for direct marketing from us or a third party. Please see below.

“Special Category Data” or sensitive data is defined as Personal Data relating to race, ethnic origin or ethnicity, politics, religion, genetics, health, sex life or sexual orientation. It is processed under the following additional legal basis: 

  • To comply with our legal and regulatory obligations; and
  • Where necessary for reasons of public health, such as notifiable diseases, and protecting against general threats to the nation’s health.

The table below outlines the lawful basis on which we rely in order to process your Personal Data.

What we use your information for  Legal basis
Confirming the appointment and passing appointment-related information to branches, testing locations or partners’ testing locations To perform a contract we have with you or are about to enter with you. 
Performing a security and ID verification at one of our or partners’ testing locations To perform a contract we have with you or are about to enter with you. 
Performing your test  To perform a contract we have with you or are about to enter with you. 
To process a payment for the test  To perform a contract we have with you or are about to enter with you. 
Receiving and processing your test To perform a contract we have with you or are about to enter with you. 
Sharing all results with Public Health England (or relevant local authority) to help plan and respond to Covid-19 or future pandemics To comply with our legal and regulatory obligations.  This is necessary for reasons of public health, such as notifiable diseases.
Provide access to Covid-19, blood, genetic or any other biological sample test results To perform a contract we have with you or are about to enter with you. 
Respond to any enquiries from you regarding our service To perform a contract we have with you or are about to enter with you. 
Where we share your personal data and sensitive personal data with regulators and governmental agencies.  To comply with our legal obligations. This is necessary for reasons of public health, such as protecting against serious cross-border threats to health.
To provide you with information about products and services which we believe may be of interest to you from us or trusted third parties.  Where we have your consent.
To provide you with access to our website(s), online portal and/or our mobile app. To perform a contract we have with you or are about to enter with you. 
To help develop, improve and optimise our websites, products, services, and the way in which we communicate with you, and to carry out internal research and development that allows us to better serve our customers.
  • Legitimate Interest to help understand how we can improve our services. This could be done through third parties such as Google Analytics (see below).
  • To help us screen for potential risk and fraud (in particular, your IP address).
To receive feedback from you to help us improve on our product services  Legitimate Interest to help understand how we can improve our services.
To provide customer support services  To perform a contract we have with you or are about to enter with you. 

 Other uses: 

  1. We may also keep and use your Personal Data to comply with our legal and regulatory obligations, resolve disputes, and enforce our agreements.
  2. We may share your Personal Data, medical history and test results with your GP, doctor or the NHS if they have requested or referred a test to us. We will not share your Personal Data, medical history and test results unless explicitly authorised by yourself or your authorised representative. 
  3. We may access, use and preserve your Personal Data to comply with legal and public health authorities, in anticipation of litigation, or to protect our rights or property or those of third parties, even if your Personal Data is subject to a deletion request from you. We may also provide information to law enforcement or authorities to protect the safety of you or other users of our services or the general public.
  4. Sale, acquire, merger, or change of ownership. If we merge with another company, or our equity securities or all or a part of our assets are sold to a third party, your Personal Data may be transferred to the buyer or successor entity. We will notify you and other users of any transfer to a different legal entity.

We use Google Analytics to help us understand how our customers use the websites. You can read more about how Google uses your Personal Information here:

You can also opt-out of Google Analytics here:


We may share your Personal Data with the following types of companies (Data Controllers or Processors) for the reasons explained in section 5. A Data Controller is a person(s) or company (either alone or jointly or in common with other persons) who decides how Personal Data will be processed. A Data Processor is an external company or other third parties that collects and processes Personal Data on behalf of us.

Also, to help us deliver our services and provide the test(s) administration, we may share Personal Data with our medical practitioners, referral laboratory or external company who may provide you with the results of your test and analyse data from our laboratory or referral laboratories. They will be under a duty of confidentiality and will handle your data securely. In some cases, we may use a laboratory or company outside the United Kingdom to process, analyse and/or interpret a sample.

Companies (Data Processors) we will share your Personal Data with include:

  1. Third party testing locations or partners’ testing locations
  2. Our referral and partner laboratories or companies, who include and may not be limited to: The Doctors Laboratory (TDL), Health Services Laboratories (HSL), Micropathology, Oncologica, Biogroup, Bio-Diagnostics Ltd., Eurofins (UK and Denmark), The Gene Box, Allelica.
  3. Our providers who host our websites or third-party platforms necessary for our business operation and customer service such as Salesforce, Freshdesk, Zendesk, Capsule, etc.
  4. IT service providers, Laboratory Information Management System (LIMS) providers, data disposal service providers and data storage service providers.

If we share your Personal Data with our Data Processors, we will have contracts with them to makesure they keep your data safe in line with Data Protection Law and this Privacy Notice.  

Companies (Data Controllers) we will share your Personal Data with include: 

  1. Ourpayment service providers.
  2. Other third parties outside London Medical Laboratory to offeryou services or products, where we have your consent.
  3. Public Health England (PHE). Covid-19,the disease caused by infection with SARS-CoV-2, is classified as a notifiable disease by the United Kingdomgovernment. Therefore, our laboratory and our referral laboratories providers have a legal obligation to report all Covid-19results (positive, negative and unclear) and associated patient data to PHE. Your data will be transferred to PHE using only themethods approved by the standard reporting protocols. Further details and information about notifiable diseases and reporting toPublic Health England is available here. Further details on how Public Health England uses,discloses and processes all personal data we share with them can be found in its privacy notice here.
  4. We may share your Personal Datawith courts, law enforcement, and governmental authorities and other third parties if required by law, subpoena, a directive froma regulatory authority or as otherwise necessary to comply with legal requirements or to protect our rights or property or thoseof third parties. 

Where we share your Personal Data with a Data Controller, wecomply with Data Protection Laws. As Controllers, they will also have their obligations under data protection law they must meet. 

If we have links to other sites promoting our partners and clients, please read their Privacy Policies or Notices on their website to see how they use your Personal Data. Our Privacy Policy will not cover their use of your Personal Data by these third parties. 


We do not sell your personal Information. If you consent to receive marketing from London Medical Laboratory or on any of our websites, we may send you relevant healthcare information or information about our products and services that may be of interest to you. 

With your consent we may share your information with selected third parties and partners outside London Medical Laboratory for marketing purposes. They will handle your Personal Data, and any opt outs as set out in their Privacy Notice on their website. 

With your consent we may send you updates and news about products and services on behalf of trusted third parties. When marketing on behalf of third parties all communications will come from us and we will not share your details with these carefully selected third parties for marketing purposes.

Opting out of Marketing   

Where you consent to receive communication for marketing purposes, you have the right to opt-out.  You can opt-out of receiving marketing communication from us at any time by following the opt-out links or options in any marketing messages sent to you or by contacting us any time at

If you opt-out of marketing, you will stop receiving marketing from us within 5 working days. Please note, this does not apply to service communication, market research or customer surveys or any other processing outside marketing. 

Where you consent to receive marketing from our selected partners or third parties, we do not control the use of your Personal Data by these partners or third parties. You should contact them directly to opt-out of receiving their marketing communications.


We may send your data to countries outside the UK, where different data protection laws may apply.  These transfers will only happen when:

  • we use service provider companies outside the UK; 
  • there is a legal or regulatory obligation; or 
  • we have your consent. 

 Where we transfer your data to a service provider company outside the UK, we will implement safeguards so that your data continues to be protected. We protect your data by making sure:

  • the country has adequacy protection approved by the UK; or
  • we conduct a security and data protection transfer assessment and implement measures and put an appropriate contract in place with approved UK standard contractual clauses between the recipient entity and us. 


We will not keep your data for longer than we need to and will only use your data for the purposes outlined in this Privacy Policy. We aim to be paper light and aim to digitally store all paper documents such as test request forms. These are then stored in your medical record or file. Paper documents are securely stored for up to 1 (one) month and then destroyed by confidential paper disposal companies.

We may keep your data if we have a legal obligation to do so or to establish, exercise or defend a legal claim. In most circumstances, this means we will not keep your data for more than 8 (eight) years after the end of your relationship with us. According to the  NHS Records Management Code of Practice  we are required to hold all Covid-19 records until necessary, which is currently indefinitely. Please note that laboratory results and records will be kept indefinitely on our secured systems, or kept until no longer required.

Subject to the below, in some cases biological samples may be stored by our laboratory for up to 4 (four) weeks after the initial analysis has been carried out to give you the opportunity to order further tests or to repeat the analysis at an additional cost (‘Storage Period’). Samples will be destroyed once the Storage Period has expired. We may also be requested by regulatory authorities (such as Public Health England) to store samples for longer or even send samples to referral laboratories for additional analysis, for example for the sequencing of Covid-19 genomes. In which case we will follow all legal and regulatory requirements.


We will make every effort to use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorised access, disclosure, alteration and destruction. We have written procedures and policies documenting these measures and our operations.


The information below gives you more information on the rights that you have regarding your data. All requests can be made in writing by emailing

  • The right to know about how we gather/use/store your data. This privacy policy offers this information, but please contact us if there is anything else that you would like to know.
  • The right to obtain access to the data that we hold in relation to you. You can request this data using the email address above unless legal exceptions apply.
  • The right to data rectification or completion if it is incomplete. If you wish to correct personal data, you can request rectification or completion using the email address above.
  • The right to erasure (to be forgotten). You have the right to have any personal data permanently removed. This is not an absolute right and only applies in certain circumstances, for example, we cannot delete information if there is a legal or regulatory obligation on us to keep it.
  • The right to restrict the use and processing of your data. You have the right to object to the processing of your Personal Data in certain situations. You have an absolute right to stop your Personal Data being used for direct marketing.
  • The right to data portability, which can be achieved in the form of a data request. This right can only be used where the processing relies on your consent or contract. 
  • Rights in relation to automated decision making and profiling. We do not engage in profiling, or any processing related to automated decision-making activity.
  • The right to withdraw consent at any time (where relevant). If you withdraw your consent, this will not affect the lawfulness of how we used your personal data before you withdrew consent, and we will let you know of any consequences of the withdrawal of consent, for example if we can no longer provide you with your chosen service.
  • The right to complain to the Information Commissioner.

More detailed information on your rights and privacy laws can be found at the  ICO website. If you have an issue or complaint, you can contact us or lodge a complaint with the ICO.

If you make a request, where required, we will confirm your identity and ask you for more information to help us with your request.

We will keep a copy of your request. Further, we may charge a reasonable fee or refuse to act on your request if such a request is excessive, repetitive or manifestly unfounded. 

We have 1 (one) month from receiving your request (provided we have verified your identity and have enough information to locate your data) to respond. 


We keep our Privacy Policy under regular review and may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons. The new Terms will be available on our websites.


For more information about our privacy practices, if you have questions, or if you would like to exercise one of your rights, or make a complaint related to your privacy or this Privacy Policy, please contact us by e‑mail at  or by post using the details provided below:

Data Protection Officer,

London Medical Laboratory,

2 Pensbury Street, 

London, SW8 4TJ


Updated 25 November 2022